Phishing awareness fuels the rise of cyber-attacks on organizations via email that is continuously escalating. As we have seen recently, hospitals, transit companies, financial institutions, academic institutions, telecommunication companies, and many others were all victims. Cybercriminals have become more advanced, sophisticated, and dynamic than ever, and they are constantly attacking irrespectively to geographical location or nationality. Their purpose varies from extracting valuable information, reaching personal data, stealing money, spying, disrupting or destroying, or any combination of those.
Recent examples of business email compromise (BEC)
- In the 2015 tax report season, more than 55 companies fell victim to a specified and sophisticated phishing campaign. This campaign was responsible for stealing and compromising the W-2 U.S. tax records of every employee working for the affected companies in 2015.
- During August 2016, Leoni AG (cables, wiring systems, and related products), has been deceived out of approximately US $44 million after it was targeted by an email scammer.
The Democratic National Committee (DNC) fell victim to a cyberattack where their email systems were breached during the 2016 U.S. presidential race through spear phishing emails.
- During April 2017, it was reported that Google and Facebook were conned out of $100 million in a phishing scam that involved sending emails to employees at the companies and asking them to wire money as part of a scheme in which the con man impersonated a Taiwanese electronics manufacturer.
Lack of phishing awareness facilitates cybercriminals’ work
Social engineering methods for deception (Phishing) are applied to lure a targeted victim to open what appears to be a legitimate email. The origin of this email could be a hacked legitimate email account or a spoofed email used by the attacker to send malicious emails. The emails can contain different types of infected files disguised as something else or a URL link to a compromised website pretending to show materials of interest to the targeted recipient.
Accessing an infected attachment or malicious website could open a direct link to a command and control (C&C) used by the attacker. Once this has taken place, the hacker can steal user IDs, passwords, customer records, or any other data. At a later stage, the attacker might even perform more destructive actions such as modification of critical business data, ransomware attacks, denial of service, or others.
This could have severe consequences on the victim and the organization, such as disruption of operation, reputational damages, massive financial loss, and even, potentially, termination of business. Organizations need to be able to validate their cyber security posture more frequently, more comprehensively, and with greater responsiveness.
The FBI acts to raise phishing awareness
Government agencies worldwide have started to get more involved. For example, on Wednesday, May 30th,2017, the United States Federal Bureau of Investigation took the action to warn the American business community, and published a short and focused Business Beware notice in order to raise awareness about this issue.
Here are some tips that the organization’s IT and Security departments, along with all of the other employees, should consider:
- Verify that your security solutions such as Firewall, Anti-Virus, URL filtering, and system configurations are updated and robust.
- Conduct constant security awareness activities for all employees, including guidelines for preventive behavior and phishing awareness improvement.
- Don’t ever open a suspicious email. Be sure to report it to prevent others from opening it and then verify its legitimacy.
- Consider incrementing the security level of employees’ email with the use of a two-factor authentication solution.
- Keep updated on recent phishing attack techniques and affected victims.
How to improve phishing awareness across your organization?
Cymulate platform provides organizations the ability to test their email security and perform phishing awareness drills on their employees, thus enabling them to identify vulnerabilities in their security framework. Many organizations worldwide would have avoided recent phishing attacks if they had used Cymulate’s platform and assessed their vulnerability gaps, and improved employee awareness.
Test now your organization’s email security and employee awareness to phishing campaigns with Cymulate’s advanced attack and phishing simulations. The assessment’s results might be troubling or assure you that you have been progressing well.
So be prepared and avoid the next phishing attack!
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.