These 10 Facts About Phishing Can Help Businesses Avoid Today’s Biggest Risk
Some of the most devastating cyberattacks in history, including incidents like the Colonial Pipeline ransomware disaster, started with a humble phishing email. Phishing is the type of cyberattack employees see the most by far. Phishing is an easy way for bad actors to obtain passwords, user data and other credentials, enabling them to undertake other cybercrime operations like business email compromise or deploy ransomware. Cybercriminals also love phishing because it has a low barrier to entry, it’s cheap and it’s effective. They don’t even need special skills to undertake a phishing operation – plug-and-play phishing kits and Phishing-as-a-Service operations make it a breeze for anyone. An estimated 75% of organizations in the United States were hit by a phishing attack that resulted in a data breach in 2020.
The Guide to Reducing Insider Risk can help IT pros spot sabotage and other trouble to stop security incidents before they start! GET IT>>
Phishing is the #1 Threat to a Company’s Data and It’s Budget
Phishing is not only the most dangerous security risk that employees encounter daily, it also costs businesses a fortune every year. The 2021 Ponemon Cost of Phishing Study laid out the damage, with researchers reporting a colossal increase in the cost of a phishing attack for businesses. The same researchers also reported that the cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing – and it’s easy to see why when you know the facts about phishing.
10 More Facts About Phishing That You Need to See
- 95% of attacks on business networks are the result of successful spear phishing
- 80% of IT professionals saw a substantial increase in phishing attacks in 2021
- 1 in 3 employees are likely to click the links in phishing emails.
- 41% of employees failed to notice a phishing message because they were tired.
- 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.
- An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email.
- Phishing remains the top data breach threat for the third year in a row
- The cost of phishing attacks has almost quadrupled over the past six years
- 80% of reported security incidents are phishing-related
Employees Can Spot and Stop Phishing Messages if They Know What to Look For
Phishing can be tricky to spot, even for seasoned professionals. As phishing messages grow more sophisticated, it’s a real challenge for the average employee to determine if a message is legitimate or phishing, and many companies don’t have the support in place to minimize the risk of an employee making a mistake. An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email. Arm employees with the facts about phishing messages and what they look like including these red flags that could indicate an email is actually a phishing attempt.
Is the subject line accurate? Subject lines that feature oddities like “Warning”, “Your funds has” or “Message is for a trusted” should set off alarm bells. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected elements like emojis or other things that make it stand out from emails you regularly receive from the sender, it’s probably phishing.
If the greeting seems strange, be suspicious. Are the grammar, punctuation and spelling correct? Is the greeting in a different style than you usually see from this sender? Is it generic when it is usually personalized, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate.
Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. For example, If the message says it is from Sender@microsoftsecurity.com instead of Sender@microsoft.com, you should be wary.
Word Choices, Spelling & Grammar
This is a hallmark test for a phishing message and the easiest way to uncover an attack. If the message contains a bunch of spelling and usage errors, it’s definitely suspicious. Check for grammatical errors, data that doesn’t make sense, strange word choices and problems with capitalization or punctuation. We all make the occasional spelling error, but a message riddled with them is probably phishing.
Does this look like other messages you’ve received from this sender? Fraudulent messages may have small variations in style from the purported sender’s usual email style. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. They’re common indicators of phishing.
Using malicious links to capture credentials or send victims to a web page that can be used to steal their personally identifiable information (PII) or financial information is a classic phishing scam. Hovering your mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you have interacted with it, definitely don’t provide any information on the page that you’re directed to because it’s almost certainly phishing and could infect systems with malware like ransomware.
Never open or download an unexpected attachment, even if it looks like a normal Microsoft 365 (formerly Office) file. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions.
Is this someone or a company that you’ve dealt with before? Does the message claim to be from an important executive, politician or celebrity? A bank manager or tax agent you’ve never heard of? Be cautious about interacting with messages that seem too good to be true. Messages from government agencies should also be handled with care. Phishing practitioners love using fake government messages. In the United States, the federal government will never ask you for PII, payment card numbers or financial data through an email message out of the blue – that’s phishing.
Start the new year off on the right foot with this checklist of smart cybersecurity practices. GET IT>>
Build a Strong Phishing Defense Without Breaking the Bank
When you know the facts about phishing risk, it’s easy to see why every company needs to make a powerful defense against phishing a top priority to avoid joining the ranks of the 60% of businesses that fold in the wake of cyberattack. The ID Agent digital risk protection platform answers that call.
Dark Web ID – Do you suspect that a password has been successfully phished from an employee? Find out immediately when you use dark web search to find all of a company’s compromised credentials in minutes. That protection also keeps running to alert you to new credential compromise risks through 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
Passly – Make a phished password useless with secure identity and access management that gives you more for less. Multifactor authentication alone adds an extra layer of protection between hackers and your valuable data, stopping 99% of password-based cybercrime. Plus enjoy easy access to SSO applications and passwords with the ability to automatically fill in the blanks for web logins plus automated password resets.
BullPhish ID – A frequently updated library of preloaded phishing kits makes it a snap to make sure employees have been trained to resist the phishing lures they face every day. But they’ll learn about much more than just phishing including ransomware, compliance, password safety, security hygiene and more, giving every employee a solid grounding in cybersecurity pitfalls and best practices.
Let us help you get a strong phishing defense in place right away to lower data breach risk fast. Contact an ID Agent solutions expert now for a personalized demo of our award-winning solutions.
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Is your password compromised? Find out in seconds!
Book your demo of Dark Web ID, BullPhish ID and Passly now!