In March 2020, the FBI's cybercrime division issued a warning to the public about a surge in phishing scams. "Bad actors" were using the weight of COVID-19 to lure people into emotional responses. A year later, these tactics are still going strong. As recently as March 2021, the FBI and CISA issued new warnings concerning email phishing scams used to spread Trickbot malware. Although phishing attempts occur in voice (vishing) and text (smishing), email phishing remains the most prevalent. Let's dig into what makes it work and how you can help prevent phishing attacks.
Why email phishing works
Phishing emails are precisely designed to mimic legitimate emails—even using true business names. You may think you can spot the difference, but in a rush to complete tasks and clear your inbox, it's easy to make a mistake. The consistent phishing method includes a link which, at a glance, seems appropriate. However, clicking launches a website that instantly installs malware, ransomware, or other viral software and attempts to compromise your system through (hidden) background processes. The software allows the author to target personal and business information by data extraction, keyboard logging, and more.
Here's an email phishing example as fresh as a week of this post:
A member of the California State Controller's Office, a team responsible for over $100 billion in public funds, clicked on a malicious link and unknowingly shared credentials. This one mistake opened the door for at least 24 hours—long enough for the bad guys to steal Social Security numbers and employee records. They then spawned more than 9,000 subsequent phishing emails.
How to reduce your phishing attack surface
If it can happen to the security-conscious staff at the State of California, it can happen to anyone, so take steps now to prevent phishing. Adopt a proactive approach with emphasis on employee awareness. Keeping security at the forefront of employees minds is key to protection. We recommend monthly touchpoints to communicate trends and reinforce best practices as well.
We also advise our customers to engage multiple tools that layer their security stance, such as:
- Advanced anti-virus software that coordinates directly with DNS protection software
- A security database that monitors communications worldwide and evaluates at-risk sites by geolocation and other means
- Machine learning/AI software that evaluates threats based on behavior to help protect against zero-day attacks
- SIEM software that analyzes security alerts generated by applications and network hardware
According to Tessian, 75% of organizations worldwide experienced phishing attacks in 2020, and 96% arrived through email. Ensure your business remains cyber-safe with the right mix of tools and education to prevent email phishing.
Need help building a solid defense? Reach out anytime to learn more about ERP Suites' range of IT security services.
