Cybercriminals have small to medium-sized businesses in their crosshairs, and they are using phishing emails to lure them in. The reality is, any organization with sensitive data can be a target for cybercriminals. They have learned to precisely craft their phishing emails to trick spam filters and fool unsuspecting victims into clicking. Once this happens, the cybercriminals have the green light to proceed with their scam. Learn about the types of phishing emails used today and steps your organization can take to reduce the risk of phishing attacks.
Verizon's Data Breach Investigative Reports states email phishing is the number one cause of data breaches and 43% of cyberattacks are targeted at small to medium-sized businesses (SMB.) The frequency of attacks is on the rise and huge losses are being realized throughout all types of organizations. Here is a look at the different types of phishing emails that are common in the workplace, how they can be used in a cyberattack, and the cybersecurity best practices to reduce your risk.
What's the difference between spam, phishing, and spear-phishing emails?
- Spam: These are unsolicited emails typically trying to sell you something legitimate, or not, and may contain ransomware or malware hyperlinks. Mostly these are considered an annoyance.
- Phishing: Is targeted at a wide range of recipients ("Click Here to Get Free Pizza") specifically crafted to get you to click, to get your login credentials, or to deliver a malware payload.
- Spear-phishing: Has the same criminal objective of a phishing email, however, it is specifically designed to get your attention. The email may look as if it came from someone you know or an organization you do business with. It might contain information that you believe only you and your friends would know about; like the vacation you took to Aruba where you uploaded your photos to Facebook. The criminal’s goal is to have you drop your guard and respond.
Another type of email attack to be aware of is Business Email Compromise (BEC), also known as whaling attack. This attack happens when a cybercriminal spoofs a business leader's email account to send legitimate appearing emails to staff or business partners. These highly targeted, sophisticated emails are meant to trick the recipient into thinking it's coming from a trusted source. The cybercriminals goal is usually financial. For example, they will send a request to the finance department to make an urgent payment. They are also use whaling attacks to send malware in the hopes of getting to your sensitive data and systems.
How can your organization reduce phishing attack risks?
- Ensure all members of the organization get annual security awareness training. This training will help them understand what phishing emails are and how to protect themselves and your organization from them.
- Investigate whether your spam filter has multiple methods for scanning and verifying the reputation of inbound emails.
- Consider implementing an additional layer of security to rescan external email links after users click them.
- Ensure your files are backed up securely, and, importantly, your backup process is working. No business wants to hear their backups are over a month old.
- Review your Business Continuity Plan annually and test. A well-developed plan will help reduce the chaos during any business crisis.
Cybercrime is lucrative, and phishing emails are one of the cybercriminals favorite tactics. To reduce your risk of a phishing attack, implement tools that will help protect against known phishing attacks and remind your staff to be vigilant when reviewing emails. To educate them on how to spot and better avoid phishing emails, implement Security Awareness Training, and keep the cybercriminals out of your business.
For more information, get in touch with your Account Manager or connect with Systems Engineering at 888.624.6737 or email@example.com.