Cybercriminals are lurking in employees’ inboxes, waiting to snare their next victim with a cleverly disguised email scam. They’re posing as trustworthy sources, such as executives, vendors, or government representatives to attempt to trick individuals into giving away confidential information or funds. This form of cyberattack – email phishing – has become one of the most common ways fraudsters target companies today.
Unfortunately, these phishing attempts have become more sophisticated in recent years and it’s not always easy to identify them. Even the most advanced email filter can’t catch them all. Focusing on education and prevention strategies is one of the best ways for companies to become more proactive in combatting this ever-evolving cybersecurity threat.
Rising tide of phishing attacks
Recent world events have made businesses more vulnerable to cyberattacks. Fraudsters use geopolitical events, financial situations, and healthcare crises to their advantage by preying on people’s insecurities and fears. For example, during the first year of the COVID-19 pandemic 53% of cybersecurity professionals surveyed reported their organization saw an increase in email phishing attempts as a direct result of the pandemic†. Phishing emails about vaccines, relief funds, job opportunities, or unemployment claims drive concerned recipients to unknowingly give away confidential information or download ransomware.
Business email compromise (BEC) is another rising phishing trend that relies on people’s helpfulness. Fraudsters use this type of phishing attack to impersonate an executive to con an employee into sending wire transfers to a fraudulent account. When successful, BEC attacks have a dramatic financial impact, accounting for approximately $1.8 billion in adjusted losses in 2020‡.
Fraudsters even go so far as to create fake login pages for familiar business platforms, such as Microsoft Office. These credential-stealing attacks direct email recipients to log into their account using links contained in the email. Once the victim takes the bait and enters their credentials on this fraudulent page, scammers have access to their accounts.
Employees are falling for these scams at an alarming rate, with phishing causing 90% of data breaches in 2020§. These successes have only made cybercriminals bolder in their attempts. Organizations should not only pay attention to emerging cyberthreats, but they also need to focus on educating employees about the risks.
Think before you click
The first step in helping your business avoid email phishing attempts is recognizing them, which is harder than it seems. Fraudulent emails are designed to encourage you to click a link, open an attachment, or take action. And they can be very convincing. According to Cisco’s 2021 cybersecurity report, at least one person clicked a phishing link in approximately 86% of organizations surveyed§.
Here are a few ways to help identify an email attack in disguise:
- You aren’t expecting the email or don’t recognize the sender. Never click any links or open attachments from suspicious emails.
- The hyperlink directs to a different website. Hover your mouse over a URL without clicking it to display the actual link at the bottom of your browser window. If the link is different from what you expect, don’t click it.
- The email is unexpected but includes company branding. Don’t assume emails with the correct company logo or colors are legitimate. Cybercriminals often use professional “phishing kits” to match the logo, website, and email formats of organizations.
- The email contains typos and grammatical errors. Cybercriminals often have errors in their phishing attacks found in the subject line, email address, email body, or URLs.
- The email demands you send personal or confidential information, such as account numbers, login credentials, or passwords. Financial institutions and government agencies will never email you to request this type of personal information.
- The email includes urgent messages or threats. Cybercriminals count on recipients to act without thinking and include wording such as, “We suspended your account due to unusual activity. Click here now to verify your name and date of birth!”
- The “sender” is an executive demanding money via wire transfer or gift card. Don’t act rashly when you see urgent emails from executives within your company.
Employees are your first line of defense
Cybercriminals are targeting your employees with phishing attempts, so make sure your company is educating employees on identifying these risks. These actions can help protect your employees against potential phishing attacks.
- Create a robust security awareness program. Preventing fraud begins with training your employees. Your cybersecurity protocols are only as strong as your weakest employee when it comes to cybersecurity know-how. Continuously train employees on the newest methods of cyberattacks and preventative measures.
- Add an external email banner. This is a banner that appears at the top of emails when the sender is from outside your organization. Using an external email banner draws attention to the fact that the message isn’t from someone within the company, which can help your employees be more vigilant to potential phishing attempts.
- Empower employees to verify vendor requests. Fraudsters watch traffic between companies to identify the vendors they use, then pose as those vendors to request changes to an existing account or divert funds to new account. Employees should be trained to contact vendors using other established communication channels to verify any unexpected or suspicious request.
- Put a reporting process in place. Develop a process for employees to report suspicious emails to your cybersecurity team. Remind employees that reporting these emails can help to protect them, their fellow colleagues, and the entire organization from fraud.
- Consider cyber liability insurance. No matter how many precautions you take, fraud can still happen. BEC and email phishing are the most expensive types of cyberattacks, with the global average cost of a data breach soaring to $4.24 million in 2021¶. A cyber insurance policy may provide financial protection from cyberattack threats, as well as help with response-related expenses when information is compromised due to a data breach or network intrusion.
Safeguard your business from phishing attacks
Savvy employees, awareness training, updated protocols, and cybersecurity know-how can go a long way in preventing costly data breaches from phishing attempts. Contact your Huntington relationship manager to discuss the cybersecurity best practices and Huntington products that can help you reduce your cybersecurity and fraud risks.