For today's cyberattackers, there really are a lot of phish in the sea. Phishing email fraud is increasing in frequency and sophistication, and remains a popular method of attack with cyber criminals because of the ease with which they can gain access to personal and financial information. According to computer security company McAfee, 97% of people around the world are unable to identify a sophisticated phishing email! And while we’ve discussed numerous ways to protect yourself from phishing email scams on this blog, we haven’t spent nearly as much time talking about why it’s so important to protect yourself with anti-phishing services.
Why Organizations Need Anti-Phishing Software or Services
1. Phishing is a Huge Threat
According to the FBI’s 2017 Internet Crime Report, phishing and phishing-related scams were the third most common type of scam reported by victims regardless of company size, industry, or location (phishers don’t discriminate; they’ve gone after everyone from tech giants like Google to the smallest school PTA). That’s not all; the threat is growing. In the first half of 2018, nearly 500,000 phish were detected, much more than the approximately 370,000 detected in the last half of 2017 (and that includes holidays, when phishing attacks generally tend to spike). Perhaps most frighteningly, on average a phishing attack costs a mid-size company $1.6 million—enough to sink the company for good if it’s not properly protected.
2. Phishing is the Attack Vector for All Kinds of Hacks
Phishing is by far the most exploited attack vector, or technique, by which hackers get their targets to inadvertently do bad things.
Stealing credentials. Stealing credentials to gain access to a network, or to sell them on the black market, is often accomplished through phishing because it is cheap and easy. Whereas malware and other exploits rely on weaknesses in security defenses, phishing email scams simply rely on a hackers’ ability to deceive someone.
Stealing PII or PHI data. Rather than the mass email fraud used to steal credentials, phishers will engage in spear phishing or whaling—targeting a specific individual or organization—to obtain Personally Identifiable Information (PII) or Protected Health Information (PHI). Healthcare organizations and human resources departments of organizations in all industries are the most common targets for these types of attacks.
Deploying malware or spyware. Phishers are beginning to combine phishing emails with malware and spyware. In mid-2018, hackers with the Gorgon Group sent spear-phishing emails containing a Microsoft Word document. Once opened, the malicious documents exploited a computer vulnerability allowing hackers to run commands and install programs with the end goal of carrying out espionage and stealing data.
Duping employees into fraudulent transactions. Otherwise known as Business Email Compromise (BEC), this email fraud strategy targets lower-level employees who possess administrative rights by pretending to be a member of the C-suite and requesting sensitive information. It preys upon social engineering; hackers know most employees don’t want to question or say no to an executive. Because of this, well-executed scams can be very successful.
3. Phishing is a Compliance Issue
Not only can phishing scams cost companies millions in financial losses, it now can cost them in securities violations. The Securities and Exchange Commission (SEC) has made it known that organizations need to step up their internal controls to protect against phishing email fraud, or face penalties. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the SEC wrote in its report.
The Health Insurance Portability and Accountability Act (HIPAA) has also put healthcare organizations on notice. HIPAA’s Security Standards for the Protection of Electronic Protected Health Information (PHI) has established a national set of security standards for protecting health information that must be adhered to. Organizations found in violation could be fined $100 to $50,000 per violation (or per record) and face criminal charges. Another way to think about it: a recent phishing attack on the California-based Gold Coast Health Plan (GCHP) exposed PHI on 37,000 individuals; even at the low end of the fine spectrum ($100 per record), the breach could cost GCHP $3.7 million.
Phishing is easy to execute and extremely profitable for hackers, so it’s not going away anytime soon. Data shows it’s increasing in frequency and sophistication, and without proper protection it can be the death blow to organizations (especially small and mid-size companies). If the cost of phishing doesn’t get you, the fines for compliance violations just might. Clearedin can offer easy protection from phishing email scams, catching them before they hook your employees. Speak with one of our anti-phishing service experts and ask about our free trial. Contact Clearedin today.