Today, small and large organizations across every industry are witnessing a massive increase in phishing attacks. In fact, over 75% of organizations reported experiencing an attack in 2017.
What’s behind the rise in phishing attacks?
Part of it may be the ease with which it puts cybercriminals into direct contact with the most vulnerable part of any network—end users. Fraudsters have moved way beyond the easy-to-spot scams of the Nigerian prince desperate to transfer funds to you. Today’s scammers are researching their targets and sending cleverly disguised emails that engage recipients by impersonating a known colleague, contractor, friend, or family member. And, people are taking the bait—hook, line, and sinker. So what can companies do to protect themselves against a potentially devastating attack?
Phishing Awareness Training Programs
Most organizations are turning to training-based solutions, relying on a “human firewall” to keep their organization phish free. Many of these programs involve ongoing e-learning courses and videos, while more sophisticated training involves sending simulated phishing emails to employees. These phony phishing emails may include attachments, embedded links, and requests for personal information. If a recipient takes the bait, they will be be presented with a screen explaining the situation and offering tips on how to avoid becoming “caught” in the future and the company’s IT department will also be informed. In some instances, employees that repeatedly fall for simulated phishing attacks may be censured, penalized, or even terminated.
However, phishing awareness training is often expensive and takes valuable time out of employees’ schedules. Plus, even the best employees are fallible. So, while training may seem effective at first, especially immediately following coursework, human firewall protection is rarely a long-term strategy for success because eventually people get comfortable and fall back into their old habits. They’re also prone to slip up during times of hyperactivity; such as end-of-quarter (EOQ) or end-of year (EOY) when they’re up against tight deadlines.
In the scramble to complete tasks, employees are much more likely to make a “click” that could send a network into turmoil and cost the business thousands or millions of dollars. Phishermen know this, and so they often schedule attacks to coincide with EOQ or EOY activities.
They’re also finding success with Business Email Compromise (BEC) phishing during these times. This email differs from most phishing attacks because it doesn’t usually include a malicious link or attachment. Instead, it’s simply a message from an “executive” requesting a transfer of funds or access to sensitive data. Requests of this nature from top brass are more common at EOQ or EOY, so an employee may simply send the information along without hesitation.
Red-Flagging External Emails for Phishing Prevention
Another method organizations are employing is simply red-flagging all external emails so that employees know that they should be more judicious when interacting with those emails. Unfortunately, people in most roles routinely received dozens or more external emails on a daily basis. For outward facing roles such as sales and business development, the lion’s share of their daily email exchanges will likely be with external users. This ends up drowning employees in white noise. The unfortunate by-product is that they start tuning out the warning and once again become vulnerable to BEC and other types of phishing attacks.
Anti-Phishing Software: A Better Approach
With the ultimate value of ongoing training and red-flagging techniques being called into question, what are organizations to do—especially those processing large amounts of sensitive data? Today’s savviest organizations are turning to smarter anti-phishing solutions.
Rather than spend time, money, and productivity on training tactics that erode over time, smart anti-phishing software actually learns legitimate patterns of communication activity within any organization, red-flagging only those emails that are truly unknown, suspicious, or malicious—greatly reducing the problem of “white noise.” More importantly, smart phishing prevention software provides an active defense rather that helps users at the point of attack; it red-flags and locks suspicious emails, providing users with a visual cue and forcing them to have to unlock the email before being able to click URLs, reply to, or forward the email. This method gives them the chance to pause to really think before they click.
Ready to get beyond the human firewall and learn more about smart anti-phishing cybersecurity solutions? Contact the experts at Clearedin today.