Don’t Bite the Hook! You’re the Fish for Phishing!
So, you receive an email or text that looks like it's from someone you know. Your boss? Your company’s service provider? Your bank? They're asking you to click a link to update your account information because there’s some suspicious activity with your account. It seems urgent and, in a panic, you click the link just to find out that you just got hooked.
“Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate” (Microsoft). These attacks can happen anywhere, anytime, and anyone can be a victim. If you don’t believe it, check these facts out:
“In 2021, 83% of organizations reported experiencing phishing attacks”
“Thirty-percent of phishing emails are opened.”
“Roughly 90% of data breaches occur on account of phishing”
-Cybertalk.org
In an event of cause and effect, phishing is the effect where the cause is credential compromise such as an email address or password by clicking a malicious link or visiting a fake website. In fact, according to Chuck Brooks of Forbes Magazine, in “71 percent of companies, Credential compromise is the main route in [company networks] primarily because of simple passwords being used, including for accounts used for system administration” (Forbes.com).
Although phishing can happen anywhere, it is remote workers that appear to be the primary target since organizations have transitioned to remote or hybrid work as a result of the pandemic. “The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices” (Tessian). This is because remote workers tend to use their personal devices and accounts and are working from unprotected, untrusted IP addresses. Henry Trevelyan Thomas, Tessian’s VP of Customer Success, says that “Personal accounts are easier to compromise as they almost always have fewer security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account” (Tessian).
How to Protect Your Business from an Attack
The best defense against phishing attacks is a good offense. Some ways you can prepare your business and employees for an attack are:
Backups
Secure files in case of deletion, corruption, or theft. This can be in the cloud, or on an external hard drive.Zero Trust Policy
For remote workers, employ a Zero Trust policy that does not allow employees to use personal devices or accounts for work, unless used from a trusted or secure IP address.2 Factor Authentication
Secondly, require passwords and two-factor authentication for all devices and network areas with sensitive information. Especially for remote workers.Training
Lastly, the best kind of prevention is education. Enroll your employees in an email security program designed to educate and test their knowledge. Our program will train employees on identifying potential threats by simulating email threats, analyzing user behavior, and educating them to mitigate the compromise risk of your organization.
Our customers receive Security Awareness training annually free of charge as a part of ICAP (Infotect Consulting and Assistance Program). If you are not a part of our managed services program, you can purchase Security Awareness Training and Email Threat Simulation directly on our website.
