[Click to view full infographic]
Have you recently been contacted as the recipient of an unknown inheritance worth millions of dollars? Has a beautiful woman messaged you because she is interested in building a relationship? Has the Amazon order you forgot you placed finally shipped? Did you forget to pay an old invoice? Do you have a new voicemail message? Is your boss attempting to schedule a meeting with you? While the above questions stem from the outright ridiculous to the more plausible, the scary truth is that they are all examples of email phishing scams coming from today’s cybercriminals. Malicious emails are nothing new – in fact, according to Symantec’s 2018 Internet Security Threat Report, 54.6% of all email is spam. This means that over half the emails you receive every day are malicious attacks from third-party criminal organizations. Never mind trying to maintain inbox zero with those numbers, think of the security risk to your business and employees. According to the same report, the average user receives 16 spam emails per month – this means that if you have 20 employees, that’s over 3500 spam emails a year! That’s 3500 times your business is at risk of giving the wrong people access to sensitive data.
There are various different ways in which cybercriminals try to gain access to personal and sensitive data in order to make money off their victims. This includes through buying and selling product, dating and romance schemes, fake charities, investments, jobs and employment, unexpected winnings and threats or extortion. Some of the more popular scams include RansomWare and phishing scams.
A ransomware attack is a malicious attack on a person’s computer to gain access and exploit sensitive data. This type of attack is typically delivered via an email attachment that releases malware into the user’s system once it’s been opened. Another common method for distributing malware is through a website, where the malware is released into the system once a user visits the site. The malware that infects the victim’s computer encrypts data so that the victim is unable to access important and sensitive information without first paying a ransom to the attacker – however, it is never recommended to actually pay the ransom as it’s unlikely that you will get all your data back.
A phishing attack is when an unsolicited party sends you an email trying to be something they are not in order to get the receiver to share sensitive information or give access to their computer. Similar to RansomWare attacks, phishing scams start with the attacker trying to bait the victim into clicking a link, opening a document or sharing personal data. Spear phishing is a more targeted approach where the attacker uses personalization to target one or a limited number of people. Spear phishing can be much for effective for the attacker as the goal is to make the email seem like it is coming from a legitimate source, or someone the victim personally knows. Attackers continue to get cleverer in the disguises they use when sending phishing emails with the most common being in the form of a bill or invoice, accounting for 15.9% of all phishing emails. The next common disguise is an email delivery failure notification at 15.3%, legal/law enforcement messages at 13.2%, scanned documents at 11.5% and package delivery notifications at 3.9%.
How to Keep Your Business Safe
With the average cost of a phishing attack for a mid-size company coming in at $1.6 million, keeping data safe should be on the top of the priority list for all businesses. To help keep your company and employees safe from phishing scams, there are several preventative measures you can take.
First and foremost, it is important to spend the time educating employees to increase their awareness of potential threats and to provide training on security best practices. Provide employees with examples of common phishing scams and make it clear on what types of emails are safe to open. If an employee is ever unsure, have them speak with your IT team to double check whether the email is safe. Encourage employees to double check with each other if they are receiving spear phishing emails from the attacker pretending to be another employee and have a standard for sending common emails like calendar invites.
Even if you believe an email is coming from a trusted source, always double-check that the sender email is one that you recognize. Frequently, attackers will make the email seem like it is coming from a trusted source while hiding behind an unknown email address. They may also slightly modify the spelling of a well-known brand name to catch people off guard. Take the time to fully review each email and sender before clicking on any links. And once again, if you’re unsure, always double check with other people in your organization.
There are various pieces of technology that can help protect your business from phishing attacks. For example, as a Microsoft partner Blue Link provides additional services to hosted customers to help protect your business – including Office 365 security features such as two-factor authentication, extra malware protection, email encryption and more. Before you hire an outside IT team, consider speaking with your ERP software provider to learn more about the services they offer and partner discounts they have that can help keep your data safe.
Never send sensitive data like credit card information through email, encrypt data where possible, use complex passwords updating them regularly and consider using a password protection site like Last Pass. We all know managing passwords is hard, however, it doesn’t have to be. If you know that you will not be able to remember a dozen randomly generated complex passwords (and let’s be honest, no one can), consider using a protection site such as Last Pass or at least create complex passwords yourself. 123456789, QWASZX and password are not and have never been good passwords.