Businesses are aware of the need to strengthen cybersecurity. What your company may not know, however, is the sheer magnitude of cybercrime today.
Did you know that the first quarter of 2022 saw over 1 million phishing attacks? According to a study by the Anti-Phishing Working Group, that figure includes a 7% increase in credential theft phishing that was reported among enterprise users, accounting for almost 59% of all malicious emails. Not only have the number and frequency of phishing attacks increased but also the techniques used by hackers have also become more advanced.
What can you do to protect your company from phishing scams?
Let’s look at how to identify phishing attacks, what you can do to protect your business from these scams, the benefits of partnering with a cybersecurity firm and how to choose one that’s right for you.
Since their first instance, phishing scams have become increasingly pervasive, sophisticated, and costly.
An email phishing campaign tricks the victims into revealing sensitive information, opening attachments with malware, or visiting malicious websites by creating a sense of trust, fear, curiosity or urgency.
Bad actors use social engineering techniques to persuade unsuspecting employees to believe that the phishing email originates from a trusted source, such as a colleague, supervisor, banking institution, government agency, etc.
Phishing examples include emails disguised as communication from an online service or social media account alerting the victim of a policy violation or an event that requires immediate action, like resetting passwords or verifying login credentials.
Phishing has become more sophisticated than ever as scammers use the latest technologies and psychological manipulation techniques to prey on their victims.
For instance, bad actors set up HTTPS websites to spoof unsuspecting users because many people assume those sites are trustworthy and safe. They also process a vast amount of data they steal from emails with advanced machine-learning tools to analyze user behaviors and design more effective phishing scams.
The financial costs of these breaches are even more concerning. The Ponemon Institute found that companies lost an average of $14.8 million to phishing in 2021. They also suffer other financial impacts:
The global shift to remote work and the massive adoption of new cloud-based enterprise technologies are the main reasons for the surge of phishing scams. The problem is exacerbated by many companies’ failure to implement the appropriate security measures to protect their environments.
Phishing scams exploit human errors, making them especially hard to thwart. As bad actors look to exploit organizations, new types of phishing with different techniques continue to emerge. Here’s a look at the most common types of phishing attacks.
 |
Whale PhishingWhale phishing (also called whaling) targets high-ranking corporate executives, CEOs and other critical employees because hackers can use their credentials to access valuable data or authorize fraudulent money transfers to their accounts. Phishers can also steal sensitive employee information, sell it on the dark web or use it for identity theft. This phishing technique can cause extensive damage to an organization’s reputation and financial health. |
 |
Business Email Compromise (BEC phishing)Hackers typically use BEC phishing scams to target accounting or finance personnel and trick the victims into transferring money from corporate accounts into their accounts. The criminals start by hacking into finance employees’ emails and monitoring their activities to understand the organization’s processes and payment procedures. Then, they send a spoof email impersonating a top executive to direct the recipient to transfer money to their bank accounts. |
 |
Clone PhishingIn a clone phishing campaign, bad actors create a replica of a legitimate email message in the victim’s inbox, replace attachments or URLs with malicious ones and send the email again with a line explaining why the victim is getting the same message. The fake email is crafted to look like it’s from a legitimate sender. Criminals may even create a spoof website to trick victims into entering their credentials or downloading malware. |
 |
Vishing (Voice Phishing)In a voice phishing scam, cybercriminals may impersonate personnel from a financial institution and call the victims to ask for their account information, PINs or other credentials. They may also call employees posing as a vendor, supplier or partner to trick the victims into sharing sensitive information or authorizing payment for a fake invoice. |
 |
Smishing (Text Phishing)This technique uses text messages that appear to come from a trusted sender to convince the recipient to provide the attacker with financial rewards or access to exploitable information. Smishing scams are on the rise as people increasingly use SMS messages as a primary communication channel. They may disguise as Amazon loyalty program rewards notices, FedEx shipment correspondence or United States Postal Service updates with links to fake sites designed to steal payment card information and personal data. |
 |
Angler Phishing (Social Media Targeting)Criminals target your customers who use social media for customer support. They create fake accounts, hijack conversations and trick your customers into sharing their credentials. Some scammers even create fake business profiles to send instant messages, tweets, posts and links to cloned websites, where they trick victims into downloading malware or entering their sensitive information. |
 |
PharmingThis phishing method uses DNS (domain name system) hijacking, DNS spoofing and DNS cache poisoning techniques to compromise a DNS server and change the IP address associated with a legitimate URL. It allows criminals to redirect users to a different site where they can steal the victim’s information. Comparisons between pharming vs. phishing attacks show that pharming is a more advanced technique. It’s harder to identify and designed to capture many users in one fell swoop. |
 |
Spear PhishingSpear phishing is highly personalized to target a specific individual. For example, it might address your employees by name or mention details about their recent professional activities. Hackers spend time acquiring and analyzing data from multiple sources and use the information to craft spear phishing emails. They typically include the target’s name, phone number, position, company address and other information to make the message appear genuine. Because spear phishing is pervasive, we’ll delve deeper into some examples |
Understanding the nuances between spear phishing and phishing can help you better identify these attacks and educate your employees to avoid falling for these schemes.
Phishing is the fraudulent practice of attempting to steal a user’s data, identity, credentials or financial information. It tricks a victim into opening a fraudulent online message and taking certain actions so attackers can steal their data.
 |
Spear Phishing vs. Phishing TacticsSpear phishing attacks are more sophisticated than regular phishing. They leverage social engineering techniques to target specific individuals who possess high-value information. As such, these scams can be more damaging to your company. |
 |
Spear Phishing and Phishing TargetsTraditional phishing doesn’t target specific individuals but casts a wide net to reach as many potential victims as possible. Spear phishing targets specific people within a particular organization with personalized messages. |
 |
Spear Phishing vs. Phishing attack MethodsPhishing messages are more generic and applicable to most people (e.g., resetting a password on a popular website.) On the other hand, before a hacker sets a spear phishing trap, they collect data about the victim on the internet, social media and the dark web to craft a specific and believable message. |
 |
Spear Phishing and Phishing Red FlagsGrammatical errors, confusing information and awkward language make traditional phishing emails easy to identify. On the other hand, the somewhat accurate and convincing information makes spear phishing emails harder to spot. |
Understanding the cybercrime landscape is the first step to educating your employees and protecting your business. Here are six things you should know about phishing:
Phishers typically avoid the 9 a.m. to 1 p.m. window when employees are alert and focused. They tend to send malicious emails between 2 p.m. and 6 p.m. when the mid-afternoon slump kicks in and employees become less cautious.
As cybercriminals deploy increasingly sophisticated phishing techniques, it’s more challenging for the average employee to differentiate legitimate messages from phishing ones. Unfortunately, many companies lack the resources and technical knowledge required to educate staff members and implement the appropriate measures to minimize risk exposure.
More phishing attacks now target healthcare organizations. A HIPAA study found that 314,063,186 healthcare records were exposed or stolen between 2009 and 2021. These data-rich records are valuable to criminals, who can exploit the information for medical identity theft, billing fraud and purchasing prescription drugs for resale.
This sophisticated vishing attack method uses AI and deep learning models to clone human voices to target specific, high-profile victims. Deepfake voice phishing is often used by criminals who understand a corporation’s inner workings. They may pose as an executive or a superior to order employees to transfer money into their accounts — like this $35 million bank heist in Hong Kong.
Pop-up phishing remains an insidious and effective phishing channel. Cybercriminals place malicious code into pop-up boxes or use a web browser’s notifications feature to install malicious code on target devices when users click to allow notifications.
Cybercriminals create spoof websites to impersonate authentic ones and send phishing emails to get victims to visit the sites. The fake websites aim to trick employees into giving up your business’s bank account credentials, credit card numbers and other sensitive information.
As you can see, malicious actors have more than a few tricks up their sleeves, so spotting phishing emails is difficult. Let’s examine email elements that provide additional clues.
Most phishing attempts have the same common denominators, even if criminals use different techniques or mediums. Let’s examine some red flags.
Time is of the essence when it comes to preventing a phishing attack. The wrong move can mean the difference between maintaining your business’s reputation and becoming the victim of a data breach.
Yet, many people overestimate their ability to distinguish phishing emails from genuine ones. Meanwhile, many phishing scams use social engineering techniques to trigger people to act, exploiting emotions such as fear, sympathy and altruism.
So, what is a common indicator of a phishing attempt?
If you’re wondering how to identify a phishing email, know that most phishing emails have at least one of these elements:
Cybercriminals create fake email domains that resemble those of real organizations. For example, by substituting the letters “r” and “n” for the letter “m,” they can make a fake domain look like a legitimate one (e.g., customersupport@walrnart.com.) Alternatively, they may include a portion of a legitimate organization’s name in a fake domain (e.g., support@microsoftsupport.com.)
Beware of subject lines that generically reference online services or social media and attempt to trigger a sense of urgency or fear.
Phishing emails sent with the following subject lines get the most clicks in the U.S.:
Meanwhile, the most common subject lines used in phishing emails globally are:
If an email contains spelling and grammatical inconsistencies alongside other red flags, it’s most likely a phishing attempt. One caveat: today’s phishers are less prone to these mistakes, so the absence of poor grammar doesn’t mean you’re in the clear.
Phishers may disguise themselves as a vendor, a well-known business or a government institution and accompany the phishing email with a plausible-looking invoice to trick employees into transferring money. When in doubt, contact the organization directly to confirm the legitimacy of the request.
Less sophisticated phishing emails often start with a generic greeting, such as Hi, Hello, Dear Customer, and Hi User. Today, most legitimate companies personalize their emails, so consider generic greetings in today’s cyberspace a red flag.
Malicious actors often use emotionally charged language to pressure targets into acting. The fear prevents victims from reading phishing messages closely to verify their legitimacy. The scams often use phrases such as “click now” or “expires in X hours” to increase urgency and tap into people’s fear of missing out.
Look out for emails that only include an attachment without additional information in the message body. These attached files are often vehicles for hiding content from email security solutions and distributing malware. As a general practice, never open an unsolicited email attachment.
Reputable organizations don’t ask for personal data or sensitive credentials via email. Any email that appears to come from a supervisor, manager or colleague requesting sensitive information — especially phrased in urgent language — could be a phishing attempt.
Run through this simple 3-step checklist recommended by the Federal Trade Commission (FTC) before responding to an email request:
Check out the website or phone number of the organization or person sending the text or email to ensure that you’re communicating with a legitimate company instead of a scammer.
Sometimes just talking to a colleague can help you make a better judgment call. For example, they may receive the same phony request or notice something you overlooked.
Call the vendor, colleague or client who appears as the sender to see if they made the request. Use a number you know to be correct, not the number in the email or text.
Understanding how to identify phishing attempts is only the first step—you’ll also want to make sure you have developed a phishing prevention strategy.
Phishing is one of the most common and financially dangerous online crimes. Savvy organizations stay ahead by implementing phishing prevention solutions and following the latest best practices.
Here’s how small and medium-sized businesses can protect their data and employees from phishing and spear phishing.
Effective phishing prevention starts with employee education. Implement a rigorous user education program to help your staff identify fraudulent emails and handle suspicious messages. Cultivate awareness and send recurring reminders to keep phishing prevention top-of-mind. Employee education is the best anti-phishing security.
Public Wi-Fi networks are often unencrypted and unsecured, making it easy for hackers to sniff out sensitive information, such as usernames, passwords and financial details, if employees use them to send and receive emails while on the road. Instead, they should use a mobile device with hotspot connectivity if they can’t access a private network for effective phishing attack prevention.
Pop-ups can capture private information and redirect users to a fraudulent domain using iFrame technology. Hover your cursor over the link and preview the URL before clicking on it. Also, never enter personal or sensitive information on an unfamiliar website.
Use anti-phishing technology to support phishing attack prevention best practices. Partner with an IT provider who can help you assess your current infrastructure, determine security needs and implement the appropriate technology and processes. These include multifactor authentication, antivirus software, cloud-based security, data safeguards and backup best practices.
Multifactor authentication (MFA) typically refers to two-factor authentication (2FA), which involves using passwords and a second token, such as a PIN, email verification or a secondary code.
Multifactor authentication is one of the simplest and most cost-effective methods for improving cybersecurity. But as cybercriminals become more sophisticated, businesses must use multiple authentication methods to heighten their defense.
A Virtual Private Network (VPN) allows you to encrypt your network traffic to enhance protection and ensure privacy. It adds an extra layer of protection, especially when employees are working remotely and sharing sensitive company information.
Spear phishing uses social engineering techniques to collect information about victims, including their login credentials. As such, a strong password policy can help you fend off attacks. Follow password complexity and expiration requirement best practices, and don’t let employees reuse old passwords by adding or changing a few numbers at the end.
Your cybersecurity policy should also outline email security measures, a business continuity plan, remote access guidelines, a data breach response protocol and a disciplinary action plan.
Encryption protects your files from threat actors, while file backup and recovery best practices help prevent business-critical information from getting lost and ensure business continuity in case of a breach. Some hackers use ransomware that searches for unencrypted backups connected to a network so you should have backup copies segregated from the rest of your systems.
Security software is critical when it comes to what helps protect from spear phishing. Configure your system to automatically install patches and updates for all operating systems, applications and firmware, so you don’t leave anything vulnerable to attacks.
Global weekly cyberattacks are skyrocketing. It’s more important than ever to implement anti-phishing solutions and strategies. Most experts agree that anti-phishing software is the best place to start.
An anti-phishing tool can be cloud-based or on-premises. It comprises multiple applications that identify suspicious content or data on websites, emails, pop-ups, and more. Anti-phishing software can integrate with your web browser’s toolbox and/or email inbox to filter out fraudulent websites and phishing links while protecting your network against malware, spoofing, spam and other phishing techniques.
Anti-phishing software scans for nefarious links or possible malware downloads. Then, it can block suspicious files, discards malicious emails and filters unwanted spam emails into a separate folder. Such phishing prevention software sends warnings to the users and keeps unwanted content from reaching your employees’ devices.
Absolutely! An ounce of prevention is worth a pound of cure. Anti-phishing software helps to fend off an attack before it happens — which is much more effective than trying to recover from one.
Phishing emails are the most common delivery method for ransomware, which can wreak havoc on businesses of any size. According to MIT Technology Review, ransomware attacks cost businesses $7.5 billion in the U.S. in 2019.
Anti-phishing tools can block fraudulent emails hackers use for spear phishing, including techniques that disguise their real email addresses, hijack a victim’s data or a company’s system and extort money for their return. Phishing protection software can also protect businesses from other forms of data breaches.
Today’s businesses mix and match diverse and complex cloud-based software solutions. So how do you find the best anti-phishing software to meet your needs?
Partnering with trusted IT professionals is the best way to help you make the right selection. Also, invest in additional data security tools such as antivirus software, firewalls and data encryption to cover your bases. Even with the most trusted tools, there are a few key practices to put in place that provide extra protection.
Companies that enact best practices and use appropriate tools can mitigate risks. Still, it’s important to understand that your greatest risks come from your employees. Let’s take a closer look at how to strengthen security awareness training.
Typical phishing emails target hundreds or even thousands of people at once, and it takes only one employee to click on one malicious link to compromise your systems and data.
Social engineering is at the core of phishing scams, and your data security is only as strong as the weakest link, which is often the human factor. Your employees are the first and last line of defense against cyberattacks, so empowering them to do the right thing through anti-phishing training is one of the most cost-effective strategies to protect your data.
But how are your employees supposed to know the difference between a normal email and a phishing email? You need anti-phishing training for employees.
The more your business becomes dependent on technology, the more critical proper employee training on phishing awareness is. Antivirus software and other technical solutions can only block so much — it’s often up to employees to recognize malicious emails that sneak through. Rallying your troops and building a security-first culture are the best phishing protection you can get.
A well-orchestrated program should include the following components:
Even the most technically savvy employees may let their guard down, so don’t forget about the basics. Explain the “why” of the security training program to get everyone on board. When employees understand the concept and objectives behind your security policy, the training is more likely to sink in.
Make your phishing training engaging and relatable by using real-world examples to illustrate how phishing works and what fraudulent email messages may look like.
Hackers are constantly evolving their phishing toolkits, so you must keep your security awareness training current to help employees recognize the latest techniques. Besides comprehensive onboarding and annual training, send regular communications to update employees on the latest best practices and keep security top of mind.
Test your phishing training regularly to ensure its effectiveness. Third-party solutions like KnowBe4 and IRONSCALES help you send simulation emails to employees using real-world techniques hackers would use. But instead of downloading malware when employees click on the links, the software will direct them to phishing training videos.
Companies should provide periodic phishing awareness training and regular reminders to keep employees on top of ever-changing techniques and threats they may encounter from real-life phishing emails.
It’s not just your average employee who must understand these principles. In many ways, your C-suite executives may be at greatest risk. After all, they hold the key to high-value data.
CEO fraud phishing is a spear phishing technique that specifically targets and manipulates executives. While your C-suite should be keenly aware of these techniques, your entire team should be as well.
In CEO fraud phishing, scammers impersonate C-suite executives to gain access to a company’s network and/or sensitive information. Bad actors may also send fraudulent emails to employees that appear to be from an executive to trick them into changing bill pay information to transfer money into their bank accounts.
Phishers use social engineering techniques to collect information from online sources such as LinkedIn to determine a company’s employee network. Then, they leverage behavioral and psychological triggers to prey on employees’ tendency to act on requests from superiors without questioning them.
Deepfakes use artificial intelligence to impersonate the likeness of a person in a video or other form of digital media. Scammers can use this technique to create fake videos of executives for their phishing scams.
CEO fraud phishing can result in major financial losses. In 2021, this technique led to $2.4 billion in losses to U.S. businesses, accounting for one-third of the year’s total cybercrime costs.
Design a rigorous user education program that helps your staff identify fraudulent emails and provides specific guidance to handle suspected phishing messages. Also, conduct simulated phishing attempts and send recurring reminders to help employees stay vigilant.
Despite a business’s best efforts, it is still possible to fall prey to a phishing scam. In order to reduce the fallout, it’s prudent to consider how you would deal with a breach and create a response plan.
Many phishing links are so sophisticated that they mimic an official notification, making it hard to discern if you’ve clicked a phishing link. If you do have an employee that falls victim, your company can mitigate the consequences by following a few steps. Let’s examine what to do afterward to fix the problem.
It can be overwhelming to consider what happens if you click on a phishing link. But these steps can help.
First, don’t panic. Check for red flags and telltale signs discussed above to see if the email is indeed malicious. Then, determine if the hacker might have stolen your data, installed malware or accessed your network.
Disconnect your device from the internet and all other networks to prevent malware from spreading to synchronized devices. Then, run a virus scan, delete any malware detected and reset compromised passwords.
Understand how to report a problem to ensure that your company takes the appropriate actions.
Inform every employee about the phishing attempt, especially if the scammer impersonated someone within your company. If the sender disguised themselves as your customers or vendors, let them know so they can alert their staff and partners. This can prevent them from falling for the same scam.
With a timely well-planned response, your company can help to reduce the effects of falling victim to a phishing scam. Why is this so important? The cost of a phishing attack extends far beyond financial ramifications—let’s explore what happens in the aftermath of a cyberattack.
Companies must spend a substantial amount of time, human resources and technical expertise to respond, resolve, report and remediate the aftermath of a cyberattack.
Besides stolen funds, you must consider the financial impact of ransomware payments, breach response costs and lost employee productivity. You may also incur indirect expenses associated with investigations, notifications, regulatory fines, prolonged downtown, PR campaigns, legal counsel, loss of business and more.
After a phishing scam, businesses must divert time and resources to determine the extent of the attack, conduct forensic investigations, organize an incident response, initiate business continuity plans and execute public relations procedures. They also need to send notifications to affected individuals, interface with regulatory agencies and fend off potential lawsuits.
The resources required for phishing attack remediation inevitably impact employee productivity. In fact, organizations with an average of 9,567 employees lost 65,343 hours of productive work hours per year to phishing scams. The 2021 Cost of Phishing Study found that the loss of productive hours cost organizations $3.2 million in 2021.
Reputational damage is one of the most impactful and potentially irreparable costs of a phishing attack. It can impact a company’s value while causing a shift in market sentiment and investor confidence. A Verizon research study found that organizations experience a 5% drop in stock price within six months of a breach.
Damage to your reputation can also result in loss of business and brand affinity. Potential customers are less likely to trust and buy from companies that have suffered from a phishing attack or data breach.
Payouts for ransomware, BEC/wire transfer fraud, malware, credential harvesting, and legal action created direct loss ratios ranging from 73 % to 114.1% for insurers. A record of phishing attacks can result in a rise in cyber liability insurance premiums, sometimes making it impossible for a business to get coverage at a reasonable cost.
While the costs of a phishing attack are significant, you can take steps to mitigate the negative impacts of a catastrophe.
Implementing an incident response protocol after a security breach can help safeguard your systems and network. You can also stop the attack on its track to minimize further damage. Your company should enact a response plan to outline procedures for attack identification, containment, and remediation.
An independent forensics team can help you identify the scope and source of a cybersecurity breach. Although you should take all systems, networks and endpoints
offline after a successful phishing scam, don’t turn them off until the forensic team arrives.
The investigators will analyze preserved data and review system logs to determine who had access to sensitive data, verify information compromised, understand the extent of the breach, restrict access to your network if necessary, and prepare forensic reports with remedial measures.
As you can see, responding to phishing is complex. That’s why many companies enlist additional help to make sure their cybersecurity program is up to the challenge.
It’s increasingly challenging to protect against phishing, especially in the face of increasingly sophisticated phishing cyber threats. Most in-house IT teams don’t have the expertise and resources to cover all the bases. A reputable cybersecurity consulting firm can help you mitigate cybersecurity threats and protect against phishing scams.
Most internal IT teams are already stretched thin, trying to keep up with the latest shifts in the technological landscape. It’s also hard to get the right expertise and sufficient resources to stay current with security updates and stringent data privacy laws. Working with a cybersecurity firm can help you navigate the complex security landscape in these ways:
With so many things to consider, it’s helpful to understand how to evaluate a cybersecurity firm. Begin with an inquiry about the services they offer to see how well aligned their approach is with your business needs.
There are many benefits to strengthening your phishing defense by working with a cybersecurity firm. But how do you choose one that’s right for your business?
The best cybersecurity firms use phishing defense strategies that encompass people, processes and technology. Your managed service provider (MSP) or managed security services provider (MSSP) should have the capabilities to help you implement the following best practices to protect against phishing.
Your cybersecurity firm should conduct a thorough vulnerability test to understand your security posture and identify top security concerns to help you prioritize remediation actions.
Partner with a firm that can help you implement the appropriate hardware and software to protect your infrastructure against cyberattacks. These include firewalls, intrusion detection systems (IDS), identity and access management (IAM) technologies, phishing detection and response software, etc.
You must implement rigorous internal processes and procedures based on a recognized framework (e.g., NIST-800, SOC 2) and relevant industry regulations (e.g., PCI-DSS, HIPAA) to prevent attacks and ensure compliance.
Your cybersecurity firm should perform an authorized simulated attack on your organization’s IT infrastructure to understand how far a threat actor could penetrate your current security measures and what data they can access.
Evaluate external parties in your ecosystem and supply chain with access to your systems, processes and customer data. The insights can help you make informed decisions when selecting vendors, suppliers, partners and contractors.
A phishing simulation test demonstrates how your employees respond to social engineering schemes. Your MSSP can show you how to prevent spear phishing and phishing attacks based on the results.
An email usage policy can strengthen your phishing defense and minimize the risks of data breaches. Choose an MSSP that can help you craft or update your guidelines and implement the right technologies to enforce the policy.
Your cybersecurity firm should help you implement an employee training program and provide phishing consultation. Besides onboarding and annual training events, it should educate employees about governance procedures, regulatory demands and industry trends to build a security-first company culture.
As more companies adopt cloud platforms, cybersecurity firms must consider cloud security to protect all critical data. For example, it should help you configure access management, secure API connections, implement MFA and ensure all data is encrypted at rest, in use and in transit.
Choose an MSSP with experience implementing comprehensive backup and recovery plans to help you ensure business continuity and stay operational even if a breach occurs.
Your MSSP should continuously monitor threats and activities on your network. It should also have a well-defined escalation process to address all alerts and notifications promptly.
Cybersecurity and phishing prevention require specialized knowledge and expertise in today’s complex digital business environment.
Partnering with a reputable cybersecurity consulting firm can help ensure that your business runs smoothly and avoid the high cost of phishing attacks.
Warren Averett Technology Group offers a variety of IT services including compliance and assessments, cybersecurity, IT remediation services, business software, system infrastructure, IT staffing and technical support to cover all your bases.
Let us help you improve your company’s cybersecurity and protect against phishing. Get a free consultation to access tailored advice based on your company’s situation and see how you can minimize your organization’s vulnerabilities.
