That phrase with its new spelling appears to be the rage for cybercriminals these days. 76% of all companies surveyed last year reported being victims of phishing attacks. The most popular in the second quarter of 2019 were free webmail sites and SaaS followed by the financial sector. And if that’s not enough to scare you, new phishing sites have been popping up at an average of 1.5 million every month and about half use https encryption.
The Cost?
In 2018, it was estimated that the cost of a phishing attack on each mid-sized company was $1.6 million. And these figures don’t even include the general public which has also seen significant increases in these criminal offenses. A whopping 60% of Americans report that either they or a relative have been victims of a scam or breach.
Internal Procedures
Devote the time to educate employees about not just the dangers of phishing but also the impact it can have on both the company, employees and sometimes its customers. Dispense advice on how they can recognize suspicious emails they may receive and how to handle it. Add a section on how they should manage their own PCs that they can share with friends and family.
Not convinced? No time? A recent security study by Intel reported that 97% of participants globally don’t recognize complex phishing emails.
Another study by Deloitte reported that a third of customers would cease doing business with a company that was breached even if they personally didn’t suffer any loss. A large insurer reported that its surveys show 60% of customers would consider changing companies with about half actually doing so.
Meet with your IT team and formulate some action plans. Keep your software updated. A 2014 study found that 90% of the 1,000 plus commercial breaches in the first half of 2014 could have been averted. Employees caused more than 25%, largely by accident.
Conduct tests periodically by doing such things like sending emails to some employees from email addresses unknown to them. Share the results of the tests without identifying employees but including reminders and tips.
External Procedures
Keep your different publics informed about what you’re doing, particularly as it relates to protecting their data. Share the same information you gave to employees so they can recognize phishing attempts they receive.
Some of the tips should include being on the lookout for one or more of the following in emails they receive:
- Improper grammar
- Requests for financial help
- An offer of money
Advise them to compare the email address from the suspected phisher with yours, especially if your company name is part of the email address.
Counsel them about the potential danger of opening an attachment from an unknown sender, clicking on a link the sender has requested or even replying to the sender. Finally, while it seems obvious, they should be alerted to not comply with any requests asking for personal information.
While none of the above is guaranteed to successfully defend against phishing, you will have educated both your employees about your efforts and desire to keep data private and help maintain trust and credibility with your publics.