Don’t Trust That Email – Phishing Scams Are Big Business
Cybercriminals know your inbox is far from secure.
Cybercrime is bigger business than you might realize.
In today’s cybersecurity environment, keeping corporate data safe requires more than just teaching employees to look out for suspicious emails. You need to be proactive in creating and maintaining a tight perimeter defense around your key processes and treat every IT position in your company as a cybersecurity position.
Emails are the number one malware and cybercrime delivery mechanism globally, according to the David Bennett, Director of Operations at the Defense Information Systems Agency, the cybersecurity arm of the United States Defense Department.
Cybercrime damages are on route to exceed $6 trillion globally by the year 2021. This gives it a bigger market capitalization than the current worldwide black market in counterfeit currency and illegal drugs combined – a paltry $2 trillion if you throw illegal logging in to sweeten the pot.
So what can you do?
The first thing any business owner needs to invest in is protection against phishing scams. 91 percent of cyberattacks begin with a phishing email. If you don’t take preventative action, it’s only a matter of time before your business is on the hook.
How Phishing Scams Are Impacting Business
Between 2013 and 2016, the FBI investigated over 22,000 phishing scams. The bureau found that these scams accounted for nearly $500 billion in losses every year. Although the scams differ in scope and intent, they all rely on tricking victims into clicking on links and downloading some form of malware.
These scams can take a variety of forms:
- Mass-Market Email Phishing. This is the simplest version, where an email blast disguised to look like it comes from some trusted third-party is sent to innumerable email addresses in one go. You’re probably familiar with fake PayPal alerts telling you that your password is set to expire (no reputable company emails you asking for your password) or UPS delivery notifications for things you don’t remember ordering (you can safely ignore notifications for things you did not order).
- Spear Phishing. This phishing strategy is more specific. Instead of trying to obtain banking credentials from ten thousand individuals, a spear phisher targets a handful of organizations. This attacker will spend more time crafting a legitimate backstory – such as by referencing a recent event that a particular victim attended, or claiming to be an associate of a trusted friend. Most of the time, this information is available on LinkedIn or Facebook.
- Business Compromise Email (BCE). BCEs occur when an attacker gains access to a senior executive’s corporate email account and uses it to defraud the company, its employees, or its corporate partners. Often, an attacker will lurk on a hacked account and wait, sometimes for months, learning about the victim and waiting for the perfect opportunity to take advantage of the account’s authority – such as asking the accounting department for an urgent wire transfer.
- Domain Name Spoofing. Attackers can register a domain name that looks exactly like a trusted website, set up an email account on it, and use it to impersonate nearly anyone. This is technically known as an IDN homograph attack – it replaces Latin characters with their Unicode equivalents in other alphabets. For example, this website is not Apple.com, (Chrome has patched this, but Safari and Firefox are still broken) but there’s no way to know that before you click on the link.
The malware that these scams attempt to trick you into downloading can do any number of things – it can log keystrokes to attempt to learn your passwords, it can encrypt your data and hold it ransom for Bitcoin, or even take photographs of you using your webcam. In 2015, a team of particularly sophisticated and ambitious hackers used a phishing scam to implant custom-coded malicious firmware in a Ukrainian power plant reactor, shutting it down – the sky’s the limit.
In 2016, cybercriminals stole a total of 4.2 billion records from organizations. 81 percent of the organizations that were attacked lost customers and suffered damage to their reputation as a result. Damages reached an average of $1.6 million per organization.
With employee and customer data on the line, damage extends all the way down to the end-user. Customers tend to steer clear of brands that have been victimized by cyber attacks.
With the proliferation of new cybercriminal threats and the increasing frequency of phishing attempts – now at an average of six malicious emails per day per person – businesses need a complete, customizable solution to email security more than ever.
The key to keeping your email correspondence safe is through the implementation of a robust cybersecurity policy that aligns with your company’s greater long-term security goals. But coming up with a cybersecurity policy for email and actually convincing busy employees to adhere to that policy are two very different challenges.
Our experienced team of email security experts has crafted a robust email solution that provides real-time advanced threat defense against phishing scams. This solution incorporates best email security practices directly into each user’s workflow, helping lift some of the burdens off their collective shoulders, and does so at far lower per-user costs than similar service providers.
Features we offer include email archiving and disaster recovery. When used in tandem, these can generate an audit trail that you can use to root out suspicious activity and identify the weakest links in your company’s cybersecurity chain. By incorporating best-in-class email security, you can protect yourself and your customers from the expense and embarrassment of being victimized by phishing cyber attacks.