"Spear Phishing", a practice where the scam is deliberately targeting top level executives, is becoming a real problem. [shutterstock: 581432749, wk1003mike]
Phishing scams, a type of cyber attack that targets users through fraudulent emails, began in 1996. Over 20 years later, it's still a hugely popular (and successful) tactic to steal company data. Here's how to make sure your executive team knows what to expect and how to react.
This article was first published on the Virtual Forge Blog.
In 1993, AOL launched their famous personal email accounts. Yahoo!, Google, and a host of smaller ESPs quickly followed suit. And then, a few years later in 1995, the first email phishing scam was recorded.
For as long as people have used personal and work emails, there have been phishing scams. And while cybersecurity attacks have gotten frighteningly advanced as of late, there tried and true email phishing scams is still alive and well – and still hugely successful across nearly all industries and corporate titles.
In fact, phishing scams work so well that they’re consistently targeted towards enterprise executives in order to gain access to the most valuable information and company data.
You’d think that these days most people would be aware of how phishing attacks work and would be hesitant to click on suspicious email links or even share sensitive data with unverified sources. But you’d be wrong. 2016 saw more phishing attacks than any other prior year. In just the first quarter of 2016, phishing scams jumped a shocking 250% over the previous quarter. If that’s not a cause for concern, we don’t know what is.
(…) even more disturbing is how many top-level executives are falling for sophisticated enterprise phishing scams, called “spear phishing”.
Possibly even more disturbing is how many top-level executives are falling for sophisticated enterprise phishing scams, called “spear phishing”. Because spear phishing is so simple to pull off (all you really need is a URL and some design and copy skills), there were over 450,000 of these types of cyber attacks targeted towards executives in 2013. And the worst part? They ended up costing enterprise organizations over $5.9 billion in damages.
So how do you make sure that your executive team understands how to spot a spear phishing scam? It’s not easy, but here are a few tips that the IT department can implement to cut down on phishing scams:
Constantly Update Email Spam Filters. It’s an incredibly simple solution, but one that can get overlooked. Make sure that the spam filters also target blank senders, along with the standard filter categories, such as the sender’s technical specs, the email content, and any attachments.
Encrypt All Company Information. One of the best ways to protect against phishing scams is to encrypt ALL company data being sent through email. Yes, it’s more cumbersome for employees sending and receiving emails. But, it can guard well against unauthorized data making its way to a malicious source.
Educate Employees and Executives to Identify Phishing Scams. This is one of the most difficult tactics to implement, but it’s a necessity given that most phishing scams succeed because of human error. Since many spear phishing attacks are incredibly sophisticated and elaborate (with some attempts going as far as setting up fake – but incredibly authentic looking – websites to misdirect users), it’s never been more important to help enterprise employees understand what a phishing attack looks like and what they need to be aware of. One of the best ways to do this is to set up sample phishing emails that can walk employees through how a potential phishing attack might looks and what it might ask them to do (submit login credentials; share company reports; etc.).
Create a Process for Employees to Report Phishing Scams. Ultimately, putting all of these precautions in place is going to be difficult unless you have a process to manage incoming phishing threats. Make sure that identifying and reporting phishing attacks is part of your enterprise’s IT plan, and make sure that every company employee, from entry-level to executive, understands what steps need to be taken once a phishing email or attack is identified. Making it simple to report will make it much easier for the IT department to manage.