Spam. It’s annoying but most of the more blatant attempts to sell Viagra or give away mythical Nigerian riches are pretty harmless to reasonably sophisticated individuals. Modern spam filters ensure that most of it never gets seen anyway. But some more sophisticated and malicious messages DO get through. And they are targeting you and your employees.
Known as “Phishing,” these emails trick your employees into disclosing privileged information or clicking on links that place malware on their devices. Thousands of phishing attacks are launched every day, many of them by sophisticated criminals or cyber warfare divisions of foreign governments.
This evolving security problem is not adequately addressed by existing anti-spam and anti-virus software. Potential business impacts of a phishing attack include:
- Reputation damage (if your brand is used)
- Loss of intellectual property or trade secrets
- Exposure of customer records
- Direct financial costs such as regulatory fines, legal liability, costs to compensate identity theft victims affected by the attack, and outright theft
A shocking 11% of recipients click on links in phishing emails.
Five Common Phishing Techniques
The scams aren’t always obvious. Even you, or your assistant, could fall for some of them if you’re not careful.
Here’s a brief look at five common phishing threats that often arise in enterprise settings. Each example features “Bob,” a mid-level employee in the finance department who is trying to get through his busy day and respond to hundreds of emails.
The first example is a garden-variety mass-phishing technique. The next four however are examples of “spear phishing,” a step-up in phishing sophistication that involves researching the target through social media and other public sources to craft convincing emails that purport to be from known people… in this case “Joe” who is Bob’s boss and easily found on the company website, LinkedIn and press releases.
- Breach of Trust – Bob gets an email from what he thinks is his bank asking him to confirm a wire transfer. The email takes him to a link that looks like his bank’s website but it is actually a “spoofed” but identical copy of his bank’s website. When he gets to the page, he entered his credential but nothing happened. Too late, Bob just gave his bank password to a cybercriminal.
- False Lottery – Bob gets an email saying he’s won a prize from a sweepstakes. Normally, Bob is too savvy to fall for this trick. However, this email comes from his boss, Joe, and references a charity that they both support. He clicks, and ends up at a bogus page that loads malware.
- Data Update – Bob gets an email from Joe telling him to take a look at a document that is attached. The document contains malware. Bob may not even realize what has happened. He looks at the document, which seems normal. The resulting malware might log his keystrokes for months, compromise the entire network, and lead to massive security breaches throughout the organization.
- Sentimental Abuse – Bob gets an email from someone claiming to be Joe’s brother-in-law. He’s suffering from cancer and has had his insurance cancelled. He asks Bob to donate to help him recover from his illness. Bob clicks on the link and is taken to a bogus charity site. The site could host malware or just steal Bob’s credit card information via a bogus “online donation”.
- Impersonation – Bob gets an email from his boss Joe, who says that he needs money wired to a known vendor as pre-payment for an emergency job. Can Bob wire them the money right away? It seems fairly routine. Bob wires the money to the account requested. The money is untraceable and never seen again.
The ever-increasing sophistication of phishing and spear-phishing emails mean that if your employees are exposed to these emails, some will be ensnared.
What can be done to protect your employees?
Most enterprises attempt to mitigate the phishing risk with standard spam and web filtering tools as well as employee education. However, the increasing sophistication and prevalence of phishing attacks mandate more specific technical countermeasures. Traditional spam and malware filters are not enough.
Organizations need to layer specifically designed phishing protection to their current email and security measures. For instance, Vade Secure’s anti-phishing filters are able to detect the above phishing and spear phishing attacks by analyzing webpages, and quarantine suspicious emails that most spam filters would let pass.
Learn more about protecting your business from phishing threats with Vade Secure for Office 365.