What comes to mind when you think of the impacts of a phishing attack? For most MSPs, SMBs, and other frequent phishing targets, the associated cost is probably the first consequence they register.
Business email compromise (BEC) and phishing attacks cost over $1.8 billion and $54 million in the US alone per year, respectively, according to FBI data. These are pretty significant numbers, but the direct cost of a phishing attack may be less frightening when we zoom in. According to Verizon, the median cost of a BEC is about $30,000. No business would want to lose $30,000, but it might not mean an end to operations either.
In Europe, however, SMBs are not so certain. According to a survey by the European Union Agency for Cybersecurity, phishing is the most common cyberattack against SMBs, and 57 percent of SMBs say that a serious cybersecurity issue could put them out of business.
While potential monetary losses are a concern, they aren't the only consequences of a phishing attack. Security professionals that think more deeply about the consequences of a phishing attack can probably come up with a few other common, undesirable outcomes, like the cost of downtime, loss of sensitive data, reputation damage, client or customer churn, and so on.
Even this broader perspective, however, is incomplete. The truth is, there are plenty of under-recognized ways that phishing attacks impact businesses. Let’s take a look at three examples that show how a phishing attack can cause more damage than may be initially apparent.
1. Phishing attacks raise the likelihood of a future attack
There are a variety of reasons why cybercriminals create phishing attacks, and not all of them are one-off scams designed to get at an individual’s bank account. Consider the fact that, according to Verizon, most data breaches (~80 percent) are conducted by organized criminals—generally, these organizations are after bigger fish than $50 in gift cards or the cash in your PayPal account. And if a phisher wants to get a bigger fish, their attacks need to be commensurately bigger in scope.
Often, a broad spectrum phishing attack serves as a setup for a larger attack down the road. Multi-phase attacks involve a phishing attack that gathers information or credentials to set up a more targeted spear phishing attack that can convincingly trick a business leader into giving up highly sensitive data, such as their own credentials. A similar scenario occurred to an unnamed company investigated by the SEC in 2020—in an example of a BEC attack, a spoofed executive requested 14 wire transfers totaling over $45 million over the course of several weeks.
Depending on the target and information gained, a threat actor could also install malware in a sensitive system to trigger as part of a larger attack later on. Or, they could uncover key information about the organization’s security. Even if you discover the phishing attack after the fact, the attacker could retain essential information that puts them in a better position for a larger-scale, future attack.
2. Phishing attacks increase your legal risk
It might feel like kicking someone when they’re down, but the victims of phishing attacks can suffer legal penalties as a consequence.
If, for example, a phishing attack results in ransomware being installed in your systems and you choose to pay the ransom, you may have inadvertently made yourself liable for millions of dollars in fines from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
OFAC maintains a list of Specially Designated Nationals and Blocked Persons (SDNs), cybercriminal groups frequently tied to hostile states such as North Korea. U.S. entities and persons are forbidden from dealing with SDNs—and that includes paying ransoms.
But that’s not the only way that phishing raises your legal risk. For instance, MSPs can become the targets of lawsuits should their clients fall prey to a phishing scam. That’s exactly what happened to Involta, an MSP serving Boardman Molded Products, an Ohio-based company that lost $1.7 million in a phishing scam. Involta’s client sued the company, stating that Involta breached the service order by failing “to protect Boardman’s bottom line with secure, highly-available services hosted in Involta’s enterprise-class facilities.”
And, of course, any organization that handles sensitive client information is open to lawsuits should they fall prey to a breach. In 2021, healthcare provider San Diego Health discovered that nearly 500,000 patients had their health information exposed in a data breach. As a result, San Diego Health faced multiple class-action lawsuits alleging that the healthcare provider failed to protect patient data, did not implement industry-standard cybersecurity measures, and failed to train employees to help them identify and avoid phishing attempts.
3. Phishing attacks put clients, customers, and vendors at risk
Part of the reason why organizations are liable to legal action after becoming the victim of a phishing attack is because they’ve painted a target on other members of their network.
Cyberattacks against MSPs are popular because they serve as central hubs that connect attackers to a network of potential victims. MSPs are particularly attractive targets because they’re more likely to hold sensitive information on their clients that can support a cyberattack, but any organization can potentially serve as a springboard for a future attack against a different target.
After all, no business is an island. Every organization is connected to its clients, customers, vendors, and other stakeholders. Thus, a phishing attack impacts more than just your bottom line: it can also turn you into patient zero for an epidemic of cyberattacks in your network.
Situational awareness is key
MSPs, SMBs, and other organizations must maintain situational awareness if they’re to avoid these negative outcomes. Part of situational awareness is understanding all of the consequences of allowing a threat to breach your defenses—like the ones we discussed in this article.
But situational awareness also entails an understanding of your overall security posture and of the threat environment. Because Vade provides cybersecurity solutions (and especially email security solutions), we’re uniquely positioned to support cybersecurity professionals’ situational awareness of phishing scams. By collecting data from our technologies, we analyze the brands and URLS most frequently spoofed by phishers and release the data in our series, Phisher’s Favorites.
Check out our most recent edition to ensure that your organization maintains maximum situational awareness and can avoid any consequences from a successful phishing attack—under-recognized or otherwise.