According to the FBI’s 2017 Internet Crime Report, business email compromises caused more than $5 billion in losses since 2013, and reached $675 million in 2017. Many of these attacks are known as spear phishing—electronic communications scams targeting a specific individual, organization or business in hopes of gaining access to their connections or credentials.
80 to 90% of spear phishing attacks are performed by professional criminals who are more interested in installing malware on a targeted user’s computer to collect company information than they are in stealing banking or credit card info.
Millions of spear phishing attacks happen every week.
Want an example? A 2012 attack on the South Carolina Department of Revenue that resulted in 3.8 million stolen tax returns, Social Security numbers and other private information? They were breached by a single hacker planting a virus that harvested login and other credentials for complete access to the computer system. It all started with an employee responding to a seemingly legitimate email.
South Carolina has taken measures to strengthen its security since the attack, but its Department of Revenue still sees five million attempts to gain unauthorized access every week—including 350 attempts to deliver malware onto its computers.
So, what about your computer? The good news is that most computers already use network firewalls and security software that blocks frequent spear phishing attempts. The bad news is hackers are becoming more advanced in their methods. Usually they pose as a business partner, or deceptively wield just enough information about another employee that they can find from sources like social media to build trust.
How can you prevent spear phishing at your organization?
Spear phishers can be tough to identify. A great first step is the Spot the Phish quiz from Sophos. However, with 40% of company data lost through employees who are unaware or less cautious on certain devices, organizations must do more.
So, how can your organization prevent future spear phishing attacks?
Here are three ways you can start:
1. Run an effective security and compliance training
Thinking spam filters will keep the company safe, employees are frequently lulled into a false sense of security. They should not only be trained on policies and protocol to follow, but also basics on how to recognize a scam, why strong passwords that change regularly are necessary and the types of personal information they should avoid sharing with anyone.
This isn’t a one-and-done program either. It requires repetition to get employees to think before they click and accept information only from trusted sources.
2. Test employees with simulated phishing campaigns
Sound extreme? It isn’t when you look at the statistics. Spear phishing messages often have a five-to-six times higher click-through rate than actual marketing emails, and 70% of employees fall for them. To determine what details employees provide that they shouldn’t, send simulated messages to see how they react. This immediately identifies areas where additional training is required. Training that should be followed by another simulation to gauge progress accurately.
3. Keep an active dialogue going with your team members.
You can get some of your best intel from your own team members. Ask your employees what they are seeing, and what they are deleting. Encourage them to report any suspicious messages to prevent their colleagues from falling prey.
Most of our team’s clients are absolutely shocked at what manages to get through their defenses. Our experts at MicroAge have helped their biggest stakeholders see the need for teaching employees to be a human firewall.
What’s on your whiteboard for network security?
We’ll go into more detail on each step in future blogs, but would love to know what’s on your whiteboard when it comes to network security and identity management. Contact us if we can support you with either or comment below with questions.