Employee education, training is key to curtailing risk of phishing attack
While the objective of phishing has remained constant over time, the nature of phishing attacks is constantly evolving.
Despite being one of the oldest types of cyberattacks — dating back to the 1980s — phishing continues to plague businesses of all types as one of the most significant cyberthreats today. The recent global ransomware attack WannaCry, which infected more than 200,000 computers in at least 100 countries, originated with a successful email phishing attack. WannaCry is just one of countless examples of the widespread, severe damage that cybercriminals can inflict upon businesses by using disguised email as a weapon. Phishing attacks are on the rise and are becoming more sophisticated as time progresses.
As such, now is the time for companies of all shapes and sizes to review the issue of phishing and what steps can be taken to minimize the risk of this lethal cyberthreat. In particular, employee education and training is a vital tactic that can be employed to combat the threat of phishing so that companies don’t fall victim to this time-tested attack vector.
Related: Top U.S. cybercrimes include more than just data breach, phishing
Phishing explained
As a general matter, phishing involves the sending of fraudulent email communications that deceivingly appear to originate from a reputable source. The objective of phishing attacks is either to steal sensitive personal data, such as credit card information or login credentials, or to install malware on the target’s machine or systems. Many phishing emails include ransomware — a vicious form of malware that can lock a device by encrypting its files, which then become inaccessible to the victim until a ransom is paid.
Although the objective of phishing has remained constant over time, the nature of phishing attacks is constantly evolving. For starters, cybercriminals have branched out beyond emails, and now are perpetrating phishing attacks through both text messages and social media platforms. In addition, today’s targeted phishing attacks are also combined with social engineering methods, where phishers research their intended target and incorporate detailed personal information pertaining to the intended victim in their fraudulent communications, significantly raising the likelihood of success of the attack. As such, it is significantly more challenging for companies to defend against phishing scams today than in years past.
Furthermore, the financial impact that a successful phishing attack has on a company is significant. According to the FBI’s Internet Crime Report, in 2017 alone, business email compromise — a form of targeted phishing geared to defraud companies — cost targets an average of $43,000. In May of last year, the FBI announced updated numbers, providing that phishing has cost businesses more than $12 billion over the last five years alone.
Employee education and training
Employee education and training is an essential tool that companies must utilize in order to effectively defend against sophisticated phishing scams. With proper education and training, a company’s workforce can serve as a robust first and last line of defense against phishing attacks.
Companies should include targeted phishing awareness education and training as an integral part of every employee’s onboarding process. In addition, companies should also complete phishing training on a regular basis for all members of their organization. Importantly, however, companies cannot rely on mere annual training to carry the day when it comes to effectively combating the threat of phishing attacks. Rather, in order to fully minimize the threat, training needs to be multifaceted, ongoing and consistent.
The first step in educating and training employees is to persuasively convey how significant a threat phishing poses to the long-term success of the organization. Educating employees about the dangers and consequences of phishing attacks is one of the best defenses companies can deploy to guard against the risk of phishing scams. In addition, employees should be educated on current phishing methods and techniques that are being deployed by hackers to deceive employees into giving up access to their organization’s network and systems. This ensures that employees stay up-to-date on new and emerging threats, and keeps important data security practices and habits fresh in workers’ memories. Furthermore, companies must also provide employees with best practices to implement to ensure they avoid the pitfalls of potential phishing scenarios, such as:
- Never trusting an email based simply on the message’s purported source;
- Never relying exclusively on images or logos as a measure of a email’s authenticity;
- Being suspicious of emails with generic greetings and improper grammar style;
- Being cognizant of the fact that enticing or aggressive email subject lines are commonly used to entice people into clicking on a link or taking other high-risk actions;
- Recognizing that emails that threaten or urge “immediate action” are often used to scare and intimidate targets into acting hastily, before they take the time to exercise proper caution;
- Never clicking on a link without first verifying the destination of the link by hovering the user’s cursor over the URL to determine the link destination; and
- Never transmitting sensitive personal or company information via email.
Finally, companies must also teach and train all employees how to spot and recognize attempted phishing attacks. Active training — as opposed to passive training, such as video tutorials — in individual settings is ideal to maximize the impact of phishing training regimens. A very effective technique that companies can implement is to demonstrate what an actual phishing attack might look like in real-time, and how that attempted attack is properly dealt with and neutralized.
In addition, training employees in real-life, non-classroom settings with simulated phishing campaigns is also an extremely effective training and educational tool that aids employees in recognizing their own understanding of the threat, while at the same time reinforcing the company’s anti-phishing education and training efforts. For example, a company can test employees by sending them simulated phishing emails to see if they are able to detect the malicious nature of the message. If an employee responds to the email, the company can then use this as an opportunity to educate the employee and further reinforce the importance of proper security measures and practices.
Beyond that, the results of simulated phishing exercises — such as the attack techniques that workers are most susceptible to — can be used to focus and strengthen the organization’s phishing education and training efforts, helping to shore up any weak spots that employees may demonstrate in identifying and avoiding phishing scams.
Related: How to protect small businesses from cybercrime
The final word
According to Symantec’s 2018 Internet Security Threat Report, approximately 71.4% of targeted cyberattacks involved the use of phishing email messages. In addition, according to a recent Verizon Data Breach Investigations Report, almost two in three instances of malware were installed by way of malicious email attachments contained in phishing emails. Companies can expect to continue to encounter a similar, steady — if not increasing — steam of phishing attacks specifically targeting business entities for the foreseeable future. As such, now is the time for companies to ramp up their employee phishing education and training regimens to effectively defend against the high volume of sophisticated phishing scams which show no signs of slowing down in the coming years.
By effectively educating and training workers to employ effective anti-phishing data security practices, companies can put their workforce in the best position to identify, respond to, and defeat attempted phishing schemes when — inevitably — they arrive in a worker’s inbox.
Related: Executives likely to be targeted for cybercrime, report warns
This article first appeared on law.com, a sister publication of PropertyCasualty360. Jennifer J. Daniels is a partner at Blank Rome LLP and serves as co-chair of the Firm’s Cybersecurity & Data Privacy group. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm’s Cybersecurity & Data Privacy group.