This is a continuation of our #CybersecurityAwarenessMonth series. You can read the first article here, and the second article here.
Phishing is one of the most insidious cybercrimes. And when successful, these attacks can result in detrimental effects on an organization. Phishing attacks use accessible information about people within an organization to appear as legitimate contacts in email communications. These emails often include a link, a request for payment, or an attachment; the email message is often acted upon because the recipient believes it’s a real request. Phishing is one of the primary methods used by cybercriminals to breach a network and deploy ransomware.
Recognizing Suspicious Emails
Today’s cyber criminals are more cunning, and it’s now harder than ever to recognize an email that is actually a phishing attempt. Things to watch for include:
- Accuracy of email addresses – Fraudulent addresses can be just one letter off; other times, legitimate email addresses that have been hacked can be used, asking recipients to do something – click on a shared drive folder, pay a bill, send sensitive information, provide login details – that should trigger concern.
- Language used in the email – Sometimes there are obvious grammatical issues within a message; in other instances, there can be an unusual sense of urgency. One of the easiest ways to compromise an employee is to send an email posing as a high-level leader in the business and demand urgent action. For example, an email to an accounting team from a CFO requesting immediate action on paying a debt should be reason enough for the recipient to hesitate.
- Links and attachments – Any time there’s a doubt that the link you’re being asked to click or the file you’re being asked to download is legitimate, take a moment to double-check with the sender to determine whether they really sent the email or not.
Making Policies that Work for You, Your Employees, and Your Organization
To create a culture in which phishing has very little chance of succeeding, you must empower your employees to refuse requests that come through email if they are concerned. Provide ongoing training so that your employees are aware of the risks. Establish policies that:
- Prohibit sending money or sensitive information through email or in response to an email request
- Encourage employees to report suspicious emails; reward them, rather than punish them, for reporting any phishing attempt they may have accidentally been tricked into acting upon
- Require training for every person in the organization to undergo ongoing phishing training and testing
- Embrace the zero-trust mentality
- Insist on multi-factor authentication to access your network
According to the Ponemon Institute, as reported in Cybersecurity Dive, “the financial impact of phishing attacks quadrupled over the past six years, with the average cost rising to $14.8 million per year for U.S. companies in 2021, compared with $3.8 million in 2015.” With more than $6 million spent on recovery, including more than a million in ransomware payments, your efforts to thwart cybercriminals are well worth the effort.
Phishing Resources to Help You
Download the thinkCSC Email Security Guide (PDF)
Download CISA’s Phishing Tip Sheet (PDF)