Cybersecurity Awareness: Stay Off the Phishing Hook

This is a continuation of our #CybersecurityAwarenessMonth series. You can read the first article here, and the second article here.

Phishing is one of the most insidious cybercrimes. And when successful, these attacks can result in detrimental effects on an organization. Phishing attacks use accessible information about people within an organization to appear as legitimate contacts in email communications. These emails often include a link, a request for payment, or an attachment; the email message is often acted upon because the recipient believes it’s a real request. Phishing is one of the primary methods used by cybercriminals to breach a network and deploy ransomware.

Recognizing Suspicious Emails

Today’s cyber criminals are more cunning, and it’s now harder than ever to recognize an email that is actually a phishing attempt. Things to watch for include:

Accuracy of email addresses – Fraudulent addresses can be just one letter off; other times, legitimate email addresses that have been hacked can be used, asking recipients to do something – click on a shared drive folder, pay a bill, send sensitive information, provide login details – that should trigger concern.
Language used in the email – Sometimes there are obvious grammatical issues within a message; in other instances, there can be an unusual sense of urgency. One of the easiest ways to compromise an employee is to send an email posing as a high-level leader in the business and demand urgent action. For example, an email to an accounting team from a CFO requesting immediate action on paying a debt should be reason enough for the recipient to hesitate.
Links and attachments – Any time there’s a doubt that the link you’re being asked to click or the file you’re being asked to download is legitimate, take a moment to double-check with the sender to determine whether they really sent the email or not.

Making Policies that Work for You, Your Employees, and Your Organization

To create a culture in which phishing has very little chance of succeeding, you must empower your employees to refuse requests that come through email if they are concerned. Provide ongoing training so that your employees are aware of the risks. Establish policies that:

Prohibit sending money or sensitive information through email or in response to an email request
Encourage employees to report suspicious emails; reward them, rather than punish them, for reporting any phishing attempt they may have accidentally been tricked into acting upon
Require training for every person in the organization to undergo ongoing phishing training and testing
Embrace the zero-trust mentality
Insist on multi-factor authentication to access your network

According to the Ponemon Institute, as reported in Cybersecurity Dive, “the financial impact of phishing attacks quadrupled over the past six years, with the average cost rising to $14.8 million per year for U.S. companies in 2021, compared with $3.8 million in 2015.” With more than $6 million spent on recovery, including more than a million in ransomware payments, your efforts to thwart cybercriminals are well worth the effort.