Phishing is one of the most widespread ways in which cyber criminals are able to get things their way, whether it’s for monetary gain or to hack into an organisation. A well-phrased email or SMS, combined with social engineering, such as a relevant subject line, will, in the vast majority of cases, be enough to persuade at least one unsuspecting victim to open it. That’s enough to potentially bring your business to a grinding halt.
Phishing is a general term used for various types of cyber-attacks exploiting human weaknesses. Most of them aim to provide the attacker with personal and sensitive information, often to obtain initial access into a targeted network. Basically, this is the first stage of the attack, allowing the attacker to decide how they want to move forward. Do they continue to move laterally inside the network until gaining administrator privileges, which will allow deployment of a second stage malware and/or access to steal intellectual property? Or, do they sell the initial access on the dark web for other criminals to exploit?
A recent study showed that 95% of attacks on business networks are the result of successful phishing attempts. This isn’t really a surprise, since the weakest link in any defence is the human factor. Just ask Google and Facebook, who were scammed out of more than US$100 million (AUD$1,548,867) by a Lithuanian hacker who ran a sophisticated fake invoice scam against both companies between 2013 and 2015.
Given that cyber-attacks cost small businesses US$53,987 (AUD$83,619) per year on average, the recommendation is to do everything you can to avoid becoming a victim. So, what can you do to protect your business against phishing attacks? We’re glad you asked.
Here are some of the most crucial points in protecting your business:
• To make it harder for attackers to insert spoofed emails into your network, employ the anti-spoofing control DMARC (Domain-based Message Authentication, Reporting and Conformance), and encourage your vendors to do the same.
DMARC is an authentication verification mechanism for emails. It verifies that incoming messages really came from their alleged sender and allows you to determine a policy for what to do with emails that are spoofing your domain.
• Make sure your employees undergo a cyber security awareness session, teaching them how to identify and react to phishing incidents and other types of attack attempts, and informing them of who they should report to should they suspect something or identify a threat. It is also recommended to include drills, in which employees get fake “phishing” emails, to test their awareness. In many cases, the reaction your employees have to a phishing campaign, is what makes the difference between an unsuccessful attempt and a catastrophe.
• Protect your clients from phishing by purchasing an anti-phishing service, as well as encouraging them to report any suspicious emails supposedly coming from your business.
• Enable a multi-factor authentication solution for sensitive actions, such as financial transactions or changing bank account details. This can be done with a biometric identification system or a One-Time-Password (OTP) sent to the employee’s phone.
• Keep your software regularly updated, as much as possible. Software vulnerabilities can make it a lot easier for the attacker to infiltrate your network through phishing attempts.
• Be aware of emerging threats in your sector and region by subscribing to a cyber threat intelligence service. This will assist you in analysing your defence posture and evaluate your threats based on real data, rather than a hunch.
• Have an incident response team on retention. These experts can help your business recover as fast as possible, save you money, lessen reputation impact and reduce other expenses.
• Purchase cyber insurance. Should all your defences fall over, cyber insurance might be the thing that keeps your head above water. This can help your business get back on track rather than lose everything.
To protect your brand and clients, FraudWatch International offers a monitoring service using proprietary anti-phishing software. Our tools look for phishing activity on the internet and take down these sites. In fact, we have some of the fastest takedown times in the industry and a 100% success rate.
Our industry-leading takedown times mean less risk to your business, less exposure for your customers, and less risk to intellectual property. Learn more about our anti-phishing protection services today.