Phishermen are targeting a new prey, and it could cost your organization dearly if you don’t take action.
Phishing—in which perpetrators use legitimate-looking emails and websites to gather sensitive data from individuals—has been the attack vector of choice the past two years, used in more than two-thirds of cyber attacks, according to Verizon’s 2015 Data Breach Investigations Report. But what’s changing is the target, with a shift in 2014 from consumers to employees, according to Proofpoint’s Human Factor Report 2015. Cyber thieves send bogus company emails and mimic internal websites to get employees to provide credentials for accessing company systems.
In fact, some of the biggest recent data breaches were the result of phishing scams targeting employees. Fake Apple emails lured employees at Sony Pictures to verify their Apple IDs on a bogus website. And fake internal emails lured employees at Anthem and two other major health insurers to provide logins and passwords on typosquatting sites.
While all employees are at risk, the most click-happy staffers appear to be email-overloaded middle managers, and employees in Sales, Finance and Procurement, according to the Proofpoint study. Even your infosec employees may be vulnerable, according to Intel Security. The company gave its online Email Phishing Quiz to attendees at the 2014 RSA Conference, and only 6% could detect all the real emails from the ruses.
The cost of all this bait-and-switch activity? $3.7 million a year for the average organization, according to a Ponemon Institute study. Lost productivity makes up the bulk of the cost, with each employee wasting over four hours a year while their machine is remediated, reimaged and recertified.
To prevent phishing scams from netting your employees, experts recommend a layered approach to screen out as much malicious activity as possible through these preventative techniques:
- Buy Defensive URL Registrations. Buy up variant domain names and redirect them to your actual site to prevent criminals from typosquatting. Anthem attackers used we11point.com, a variant of wellpoint (the former name of Anthem) to lure employees into giving up credentials that allowed the thieves to steal 78.4 million patient records. While 95% of the top 500 domains are victims of typosquatting, according to an Internet Society study, only 31% protect themselves by proactively registering logical variants.
- Install an Anti-phishing Email Filter. These are designed to complement leading anti-spam/anti-virus email software. Look for one that can identify phishing attacks in real-time, because the Ponemon Institute study found that the median time of a first click on phishing scams happens in less than 90 seconds.
- Install Anti-Phishing Web Software. These programs store information about known phishing scams and phishing sites, and alert users if they stumble on a potentially dangerous site. Austrian testing lab AV-Comparatives regularly tests and scores anti-phishing products, so it’s a good place to start.
- Simulate Phishing Attacks. This allows you to monitor the number of employees who take the bait. Data can be used to identify patterns, see what type of messages carry the most risk and make improvements to your overall security awareness program. You can also use the data as a learning tool, so employees know what types of attacks were most successful in getting them to hand over information.
- Train Employees. Experts recommend using humor or quirkiness to help increase retention. The main goal is to teach employees to ask themselves:
- Does the email list one URL, but the hyperlink points to another?
- Does it sound suspicious?
- Does the header information match the sender?
- Does the message ask for personal information?
- Does the email just not feel right?
The Ponemon Institute study found that security training could cut annual phishing containment costs in half—saving the average organization nearly $2 million a year.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.