Fraud Prevention: Protect your business from phishing
Phishing continues to be a pressing problem for businesses and their employees. For cybercriminals seeking to wreak havoc, phishing is cheap, effective and profitable. Verizon's 2018 Data Breach Investigations Report (DBIR) states that 76 percent of data breaches are financially motivated, the majority through phishing attacks. And according to Forbes, phishing scams cost American businesses about $500 million a year between October 2013 and December 2016.
“Unfortunately, phishing is one of the quickest and easiest ways to compromise a business,” says Jordan Martone, Assistant Vice President, Information Security Program Manager, Johnson Financial Group. “Technology defenses and security awareness training are critically important in order to avoid these damaging attacks.”
What is phishing?
Phishing combines technology with social engineering to deliver malicious code (like viruses or ransomware) or attempts to obtain usernames, passwords, account numbers and other sensitive information.
Email represents the most prevalent form of phishing, but other means of attack include:
- Vishing, or voice phishing. These involve phone calls or voicemail messages requesting the recipient call a phone number to verify or enter account information. The message is often urgent and evokes an emotional response. One example: fraudulent calls purporting to be from the IRS threatening jail or legal action.
- Smishing, or SMS (text) phishing. This is similar to vishing, only using text messaging.
- Social media links. Phishers can exploit sites such as Facebook, Twitter and LinkedIn, dropping in malicious links or phone numbers.
- Fraudulent websites. Cyberthieves can create fake websites that look like their real counterparts. “Phishers have increasingly used HTTPS domains to fool users into thinking a malicious site is safe,” Martone says. The Anti‐Phishing Working Group reports that almost 20 percent of phishing sites in 2017 were on HTTPS domains.
Elements to consider include:
Body | Is there poor spelling or grammar? Is the voice authentic? If it is supposed to be from a business or person you know, does it contain language you know the sender is unlikely to use?
Subject Line | Is the subject nonspecific, threatening, urgent or too good to be true?
Elements | Be cautious of links, attachments and login pages. If in doubt about a link or attachment, call or email the sender with an independently verified phone number or email address. Rather than click on a login page in an email, log in directly on a website using a known URL.
Elements to consider include: 1. Details. Does the address match the sender name? Is it a non-corporate or foreign email address? 2. Body. Is there poor spelling or grammar? Is the voice authentic? If it is supposed to be from a business or person you know, does it contain language you know the sender is unlikely to use? 3. Subject line. Is the subject nonspecific, threatening, urgent or too good to be true? 4. Elements. Be cautious of links, attachments and login pages. If in doubt about a link or attachment, call or email the sender with an independently verified phone number or email address. Rather than click on a login page in an email, log in directly on a website using a known URL.
How to Spot a Phishing Attempt
“Because so many phishing emails appear legitimate, it's important to examine individual elements of an email carefully,” Martone says. “Train your employees to recognize potential phishing attempts and encourage them to think critically about every communication they receive.”
Suspicious emails should be reported to your IT department immediately, however businesses without a dedicated IT department can forward phishing emails to the Federal Trade Commission (FTC) at email@example.com and file a report at FTC.gov/complaint. You also may want to report phishing emails to the Anti‐Phishing Working Group at firstname.lastname@example.org.
Are you at risk?
“Some organizations believe they aren't vulnerable to phishing because they are so small,” Martone says. “However, research shows that hacking groups around the world often use a smaller business as a training ground to practice phishing before attacking a larger organization. Plus, scammers sometimes infiltrate a smaller organization – perhaps a vendor of a large company – in an attempt to attack the larger group.” That means every business, no matter the size, needs to develop a robust security protocol to help identify phishing attacks and avoid compromising the business.
Other Steps to Prevent Fraud
In addition to critically examining email elements, consider implementing the following to secure your business and employees from fraud:
- Use email spam filters and firewalls.
- Conduct security awareness training for all employees along with simulated phishing tests that provide immediate feedback.
- Consider partnering with a vendor that offers phishing simulations and web‐based training and education. “There are also free resources, such as the FBI and Federal Trade Commission (FTC), on how to deal with phishing,” Martone adds.
- Keep software and anti‐virus programs up‐to‐date, and make sure all security patches are installed.
- Make reporting a suspicious email as simple as possible. If you don't have an IT department with a reporting procedure, talk to your IT partner or internet service provider to see if they offer security services.
- Implement regular and secure back‐up and recovery processes so you can retrieve uncorrupted information and continue running your business, even if a breach occurs.
Your First Line of Defense
The best way to protect your business from phishing is to ensure you and your employees know what to look for. “Despite your best efforts, people make mistakes,” adds Martone. “The DBIR reports that 4 percent of targets will click on any given phishing email campaign. So be sure you have a good IT response team and plan in place to quickly address issues and keep damage to a minimum.”