You’ve probably heard of phishing. It’s a form of cyber-attack where a hacker poses as a trusted entity – like a bank, cloud provider or healthcare organization – over email.
The email will either contain an attachment that’s riddled with malware or a link that encourages the victim to share sensitive data.
While many people now know about phishing, these attacks still have a high success rate. In 2020, over half of companies suffered a data breach due to phishing – rising to 83% in 2021.
It’s clear, from these stats, that phishing attacks are getting harder to detect. Cyber-criminals now often conduct ‘spear-phishing’ attacks, where they research their targets prior to sending the email. Using this research, they’ll then craft extremely personalized text, pretending to be an employee’s boss or customer.
At the same time, many businesses continue to overlook the basics of security, which makes it more likely that their employees will fall victim to phishing attacks. Often, this comes from a mindset of “a cyber-attack won’t happen to me.”
However, research shows that 47% of small businesses experienced a cyber-attack last year. This means there’s essentially a 50/50 chance of you suffering an attack. With such high-stakes, being proactive is crucial.
With that in mind, here are some of the common mistakes we see companies make that increase the risks of successful phishing attacks.
Forgetting the Importance of Ongoing Phishing Training
Too often, organizations treat phishing education as a one-off exercise or an annual one hour session. Realistically, these sessions aren’t going to help your employees to stay mindful of phishing in the long-term.
It’s all too easy to forget infrequent training sessions – especially when a lot of technical information is delivered in a short amount of time. Moreover, by treating training as a tick-box activity, many companies don’t actually assess whether their training strategy is engaging or useful.
How companies approach security training needs to change. You should aim to build a culture of security awareness in your organization, where your employees feel informed about current security threats that could impact them – such as phishing and ransomware.
Creating a culture of security awareness can positively impact the bottom line, too. It reduces the likelihood of your employees falling for a cyber-criminal’s tactics.
You don’t need to conduct monthly cybersecurity meetings to create this culture, either. You could, for example, create a weekly newsletter on the latest security threats, ask your employees to conduct e-Learning training quarterly and celebrate cybersecurity awareness month.
By putting all these things together, you’ll quickly see awareness of security skyrocket in your company. Of course, creating this material requires a solid knowledge of the security landscape and the most risky threats.
If you don’t have an IT or security person in-house, consider asking a managed IT provider like us about training solutions. We can help you create a security awareness programme at the budget that’s right for you.
Forwarding Unvetted Emails to Your Colleagues
Hands up if you’ve ever received an email and then forwarded it to someone else to take care of, without properly reading the content first? This is a common practice in today’s busy workplace – but it’s also super risky.
If an employee received a forwarded email from a boss or manager, they’re likely to action the email even if it seems suspicious or out of the ordinary. This is often how successful phishing attacks occur.
To protect against this threat, make sure that your company managers and senior stakeholders check all of their emails before forwarding them onto other employees.
Some common anomalies to look out for that indicate a phishing email include:
- Spelling mistakes in the email body
- A request with urgency that appears out of the blue
- Unusual variations in the email addresses, links and domain names
- A tone that doesn’t seem quite right
Forgetting About the Risk of SMS-ishing
It’s vital for your employees to realize that phishing doesn’t just happen over email. It can also happen over text. This is known as SMS-ishing.
SMS-ishing works just like a phishing email, except the fraudulent request arrives as a text message. Many people don’t know about SMS-ishing, making it a popular attack vector for hackers. In fact, SMS-ishing attacks increased three-fold in 2020.
To tackle the rise of SMS-ishing, your security awareness program needs to cover social engineering as a whole, looking beyond phishing to cover other forms of fraud like SMS-ishing and fraudulent calls.
The threat of phishing is not going away. You need to ensure your employees can identify phishing emails and other security threats. Let us help you create a robust security awareness programme that combats phishing threats.
We can also help you bolster your phishing protections through a range of anti-malware and anti-spam solutions.
Contact our experts today, call us at 520-355-7553.
ECN IT Solutions is a managed service provider (MSP) based in Tucson, Arizona that provides full-service, outsourced IT Support for companies across the Southwest. We offer network monitoring and management, cybersecurity, and a help desk with a response time of under 10 minutes. For more information, contact us online or call (520) 355-7553 and we’ll get in touch with you faster than you can believe.