Phishing schemes are a big fraud, and in 2017 the schemes are nastier than ever. It can encompass identity theft in a way, posing as someone or something the sender is not in order to try to trick the recipient into divulging credentials, click a link or open an attachment that infects with a trojan, often involving a zero-day vulnerability exploit of Microsoft Office data files.
The costs can vary. Is it a ransomware attack? Advanced Persistent Threat? Credential theft? These can vary widely in terms of breach cost, but it boils down to this: U.S. companies have a 1 in 4 (24%) chance of incurring a mean breach cost of $2.21M in the next 24 months, and over 90% of these will start as a phishing attempt. Dividing the potential breach cost by the probability gives us a good start at establishing a budget for mitigating these risks.
There is preventative technology that can help. Endpoint agents such as Carbon Black, CrowdStrike, and Cylance can stop the attack as it starts, and Ironscales has automated phishing response technology that can render the phishing attack’s payload ineffective.
User training is a very effective way to prevent breach costs from phishing. There are many ways to spot a phishing attempt, including these:
- Simple Name <local-part@domain-name> mismatch. If the from address looks fishy, it may be
- The presence of MS Office attachments. Email is not an optimal way to share data in its native format.
- Prompting to change credentials. Doing so is an insecure practice, and your IT Department or Bank is extremely unlikely to do so.
- A threat is issued unless the requested action (i.e. click-through) is performed. Examples are “or risk your account being locked out” or “charges will be automatically billed”.
- Hovering over a link that shows a different URL than the link text indicates is a red flag.
- Grammatical errors can indicate that the phishing attempt originates from outside the U.S.
Perhaps one of the best policies to follow is if you don't recognize the sender, haven't been in contact with the sender recently, or typically work with this organization outside of email - DON'T CLICK ANYTHING.
Here are some phishing examples that illustrate these nasty attempts:
Phishing training is often a very cost effective anti-phishing measure to take for small and medium sized enterprises, especially where budgets may be a bit constrained. It’s a gamification of sorts, where the corporate security administrator tries to see how many of his users are susceptible, allowing them to track results over time. Learning to recognize the telltale signs of phishing attempts can make all the difference in protecting your corporate value!