Not long ago, popular cyber-security investigator Brian Krebs noted that, for the first time ever, he’d heard about an employer firing people for falling prey to phishing scams. Social engineering attacks in the form of phishing — malicious email designed to mimic reputable companies or contacts and trick people into revealing sensitive information — are a growing scourge. While firing the victims of such scams may seem draconian, obvious evidence abounds for why an organization might resort to such drastic measures:
- Researchers at an enterprise email-security organization reported that they’d analyzed 31,429 malicious emails over six months, and 23,195 of them were phishing attacks designed to steal credentials.
- Since April, over 100,000 targets — primarily employees of global banks and financial institutions, have come under attack by a phishing campaign that uses a high-value billing receipt to purloin credentials.
- The computer systems of 22 Texas towns were infiltrated in August, only the latest in a series of U.S. municipal government data network breaches. The most common form of infiltration is through infected emails.
- In March, a single employee at a California-based vendor to multiple state healthcare organizations (including the Los Angeles County Department of Health Services) fell victim to a phishing attack that exposed the data of 14,500 patients. In the same month, several employees at Washington-based Wise Health System also succumbed to phishing attacks, revealing data on 35,899 patients
The list could go on and on. Business Email Compromise (BEC) and Email Account Compromise (EAC) accounted for losses of $1.2 billion in 2018, according to the FBI, via intrusions “frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering.”
What it’s like out there
The use of deception to extract valuable information is a swindle as old as time, but the digital world has exponentially increased its effectiveness, as well as its scale and cost.
Exposure to phishing isn’t limited to enterprise infiltration. Recent Amazon, Netflix and American Express phishing attacks targeted general consumers and featured images and fraudulent website redirects that were virtually indistinguishable from the legitimate websites.
Only a fool would dare to play on an actual freeway, but playing on the information superhighway now accounts for “on average 6 hours and 42 minutes” of a person’s day. There’s plenty of cybercrime beyond phishing, but with around three billion fake emails sent every day, no one is safe from an onslaught of digital traffic that may not kill you, but can certainly destroy your finances and easily kill a business.
What you can do about it
Determining the consequences for employees who fall for phishing scams and put employers at risk shouldn’t be the first priority in dealing with the problem. Commenters on the aforementioned Krebs report wondered whether the employer’s IT security team should bear responsibility for letting the offending email reach its targets. Ostensibly, you could also blame the CIO, or the business software provider, or the ISP, or even Ray Tomlinson or Sir Tim Berners-Lee. But the real fault lies squarely on the criminals behind the attacks, and they don’t care who gets blamed or fired for their misdeeds.
The best that businesses can do to protect themselves is to meet the problem with education, training, and the technology available.
Cybersecurity organizations like SANS offer education and continually updated resources, and any number of reputable vendors provide enterprise phishing training and simulation services to equip employees with greater security awareness.
- There are numerous security hygiene tips that anyone with an email account should know by heart:
- Typos and odd sentence structure are red flags.
- Be wary of urgent or surprise requests even if the sender seems to be a known contact.
- Never download or open any attachments from suspicious senders.
- Do not reply to suspicious email.
- Do not trust any messages asking for sensitive information including passwords, account information, or answers to common password reset questions.
- Do not click on any links in suspicious email.
- There is no Nigerian prince and the IRS never initiates contact via email
Education and training are imperative, but even these aren’t enough. The phishing scourge continues to grow because the technologies that enable it continue to evolve, as do the techniques of the criminals exploiting that technology. The only reasonable response is to adapt security posture in kind —but that’s just not being done at the scale necessary.
For example, TechRepublic recently reported that that the seven-year-old industry-standard Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication policy and reporting protocol for protecting against fraudulent email was still absent in nearly 80% of company domains.
There’s no such thing as 100% cyber security protection, and there may be no way to ensure employees never fall for phishing scams. But companies can and should better utilize available and adaptable tools and technologies to tip the odds in their favor.