Tricked by Phishing Emails?

By:  |  Category: Blog, Security Monday, August 7th, 2017  |  No Comments

It’s easy to get tricked by phishing emails. Not long ago I received a Linked In invite from my boss. I didn’t even think twice, I just clicked. Of course I thought plenty about that little click after the skull and crossbones popped up on my screen.

How do you know if an email is a legitimate request or an alluring hook socially engineered to lure you in? Review any number of “global threat reports” within the IT security industry and phishing is a dominate threat to businesses today.

Internet Crime

According to the Anti-Phishing Working Group (APWG), in their recent Global Phishing Survey: “Trends and Domain Name Use 2016/2017,”phishing has become a growth industry. The survey gives a snapshot of the backbone of the phisher’s ecosystem and the domains to which they send their unsuspecting victims.

The survey stresses that: “Phishing activity in early 2016 was the highest ever recorded by the APWG since it began monitoring in 2004. Phishing activity in the fourth quarter of 2016 was higher than any period in 2015. The total number of phishing attacks in 2016 was 1,220,523. This was a 65 percent increase over 2015.”

The Federal Bureau of Investigation also published their 2017 Internet Crime Report which displayed an increase in both the number of complaints they received (298,728) and the quantity of losses attributed ($1,450.7M) to those complaints.

The FBI noted that phishing (which includes voice, SMS, etc.) accounted for 19,465 reported incidents in 2016, which resulted in $31,679,451 of losses to the victims. The report notes the correlation between phishing and spear-phishing emails that “are sent to end users, resulting in the rapid encryption of sensitive files on a corporate network.”

When Dtex Systems interviewed their customer base and published the findings in the “Insider Threat Intelligence Report 2017,” they noted the correlation between personal email use at work and the susceptibility of an organization to phishing attacks. For example, an insider clicked on a link in a phishing email. The user accessed the malicious email via their webmail account while on the corporate network, and, as a result, the entire organization was put at risk.

Your Business and Phishing

So what sites are the most vulnerable for phishing? The APWG suggests that new businesses or applications are often targeted, as their effort is to keep the doors open during a period of rapid growth, and with their guard down are more susceptible to having their domain hacked and used to support phishing campaigns since they are not expected to be focused on security basics.

The 2017 IXIA Security Report reports that the top phishing targets are Facebook, Adobe, Yahoo, and AOL. The report goes on to attribute 20 percent of all attacks via these sites to be associated with phishing.

The DBIR report suggests phishing via email as being “the most prevalent variety of social attacks.” A whopping 7.3 percent of all users were successfully phished at some point. And surprisingly, “in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 3% of all unique users clicked more than twice, and finally less than 1% clicked more than three times.”

The NTT Security 2017 Global Threat Intelligence Report called out phishing as “business challenge.” The authors note that over 60 percent of the NTT Security incident response engagements were to “help organizations manage phishing attacks.” They also noted the “strong correlation between phishing and ransomware attacks in healthcare and retail.”

What can you do?

First, understand that your business, your employees and you are all a target. As the APWG notes, “If a site takes in personal data, then there may be phishers who want to exploit it.”

Your number one defense against phishing is training your staff to pause and think before clicking. Over time, with proper security training, your odds of falling victim will be reduced.

Always have a plan in place to cover the worst-case scenario, when user training/education fails and the malware execution, ransomware attack, or data breach occurs.

EnhancedTECH provides employee training on how to recognize phishing emails and can provide a comprehensive security solution. If your business needs assistance please give us a call for a complimentary consultation at 714-970-9330.



Source Image: https://www.pexels.com/photo/email-blocks-on-gray-surface-1591062/

Leave a Comment
Read previous post:
Why Hackers are Targeting Business and Utilities

While ransomware seems to be a bigger threat to individual users, more information can be gathered and damage inflicted if...