Phishing is the primary method for distributing malware, viruses, and ransomware, and for conducting Business Email Compromise (BEC) attacks. Depending on whose research you read (and considering many phishing attacks are unreported), the average cost of a successful phishing attack can be anything from three million to ten million dollars for a large company.
The difficulty in defending against phishing attacks is that phishing emails are designed to appeal to employees' senses of fear, sympathy, curiosity, or greed. Different employees are susceptible to different emotions and, due to most phishing emails demanding urgent action, the consequences of an acted-upon phishing email usually manifest quickly - making it difficult to mitigate their effect.
The Two Main Types of Phishing Email
The two main types of phishing email are scatter phishing and spear phishing - scatter phishing being when the same scam emails are distributed widely, whereas spear phishing emails are targeted at one specific individual. Of the two types, scatter phishing is easier to detect because multiple employees are unlikely to have the same triggers that make them susceptible to phishing and - hopefully - an employee will report the phishing attack to the company's IT Security Team.
The second type - spear phishing - is harder to detect because phishing emails are sent individually and crafted to appeal to an employee's specific emotional triggers. This is often achieved through “social engineering” - the practice of researching an individual through their social media accounts or other publicly-available data to guesstimate how they will respond to fear, sympathy, curiosity, or greed. The consequences either type of phishing attack can be devastating, but they can also be mitigated.
Mitigating the Consequences of a Phishing Attack
Based on the above descriptions of phishing emails, there are four possible scenarios:
- A scatter email is detected and reported to IT.
- A scatter email is opened, acted upon, and then reported to IT.
- A spear phishing email is detected and reported to IT.
- A spear phishing email is opened, acted upon, and then reported to IT.
Regardless of the whether an email has been opened and acted upon or not, it is important for all employees to be made aware quickly that the company is being targeted by cybercriminals. If a scatter email has evaded detection by network security defenses, employees need to know who it purports to come from so they can quarantine it as soon as it arrives in their inboxes. If one has been opened and acted upon in error, fast action could prevent the consequences being exacerbated.
If a cybercriminal has taken control of an employee's email account - either through scatter phishing or spear phishing - this information needs to be shared immediately to prevent other employees opening emails from the compromised account. The compromised account should also be taken offline in order to prevent emails from a supposed “trusted sender” being delivered to third party businesses - which could then cause reputational damage if “trusted” emails are opened and acted upon.
The Fastest Way to Alert Employees to a Phishing Attack
The fastest way to alert employees to a phishing attack is through mass SMS texting. An alert sent simultaneously to every employee's mobile device will undoubtedly attract attention - even if individual employees have their mobile devices switched to silent - and will result in employees taking notice of the alert's warning. The text should not only advise employees to quarantine the phishing emails that have been detected, but also warn them about opening any emails and acting upon them.
Sometimes covering all the information necessary in one SMS text is difficult due to the number of characters allowed in a single text alert. Therefore, a more suitable solution is a mass notification platform that can be used to send character-limited alerts to employees via SMS text and more detailed information via email. This would also prompt employees to review their inboxes in order to identify further suspicious emails that should be reported to the company's IT Security Team.
Using Mass Notification to Conduct Phishing Simulation Exercises
One of the best ways to defend networks against phishing emails is to condition employees against phishing via simulation exercises. In these exercises, employees are sent fake phishing emails to see whether they are detected or not. The fake emails are then followed up by an alert poll to find out who detected the emails were fake and how they reacted to them. A typical Q&A alert poll might consist of the following options for employees to select an answer:
Q: Did you receive an email entitled “Your Account Subscription” from ABC Enterprises?
A2: Yes, and it didn't apply to me so I deleted it.
A3: Yes, and I thought it was a scam so I quarantined it.
A4: Yes, I opened it and then reported it.
A5: Yes, I opened it and clicked on the link but nothing happened.
The feedback from this type of phishing simulation exercise will give companies a better understanding of which employees are susceptible to phishing emails and how they are likely to react to them. The exercise should be repeated at irregular intervals to test employees' susceptibility to different emotional triggers, as one exercise alone may not prove to be effective. Once the feedback from several exercises has been analyzed, companies will be able to address areas where they are most at risk from phishing.
you may also like
How Community Marketing Can Drive Technology Adoption
December 12, 2018
Getting your community to adopt a new technology can be a challenge, especially when there are various levels of generations and technological aptitude. Education is key to...