Fight the Phish! this Cybersecurity Awareness Month

Based on the Verizon Data Breach Investigations Report, 80% of all reported cyberattacks in 2019 are caused by phishing and from the start of the pandemic in 2020, these phishing attacks along with related scams are thriving. 2020 saw successful phishing attacks in 74% of US companies.

Phishing attacks usually make use of emails and/or malicious sites to get sensitive data for example login information or to have devices infected with malware and viruses. A lure is used during phishing attacks to make the recipient take action, for instance clicking on a link in an email or viewing a malicious attachment. The attackers usually spoof email addresses, sender names, telephone numbers, and site URLs to fool folks into thinking they are viewing a well-known and trustworthy source.

The Ponemon Institute/Proofpoint conducted the 2021 Cost of Phishing Study, which indicates that phishing attack costs increased 4 times in the last 6 years, with big U.S. companies now losing $14.83 million a year on average due to phishing attacks. An average-sized U.S. firm with 9,567 employees, loses approximately 63,343 hours annually to phishing attacks, and the cost is equal to about $1,500 per worker.

Phishing is the beginning of the most expensive cyberattacks. 2020 had lost over $1.8 billion to fraudulent activity associated with Business Email Compromise (BEC) attacks. On average, a BEC attack costs $5.97 million today. Phishing is frequently where ransomware attacks begin and mitigation costs reach millions of dollars. The average cost of resolving an attack is $996,000.

Cybercriminals most commonly use phishing to access email accounts, networks, and sensitive information. Nevertheless, phishing attacks can be averted quickly if using the correct technology and users get the required training.

Companies must have spam filtering solutions/email security gateways implemented in all email accounts. With this technical measure, most phishing emails won’t land in inboxes. The antivirus software program and firewalls must be employed to secure all endpoints, such as tablets, computers, smartphones, and Internet of Things gadgets. These products must be routinely updated, preferably on auto-pilot.

All accounts requiring passwords to sign in must have multifactor authentication. When a password is stolen in a phishing attack, the attacker won’t be able to access the account if multi-factor authentication is installed. Microsoft mentioned in a 2019 article that multi-factor authentication stops over 99.9% of account compromise attacks.

In a company, employees are the last barrier to attacks, therefore it is important that they get security awareness training. Employees must be trained on cybersecurity protocols to do away with risky actions and how to determine and steer clear of phishing attacks.

Employees must know about the warning indicators in phishing emails like call-outs to view attachments or click hyperlinks, strange wording and formatting, spelling and grammatical mistakes, threats of adverse effects when quick action is not done and offers that are too good to be true. When red flags are recognized, it is important to check the source of the text or email message and to make the sender confirm the authenticity of a request. Employees must be trained to stop and consider carefully before doing the request in a text or email message and never to reply, open file attachments, or click hyperlinks in messages when there the sender or request is doubtful.

According to Verizon, in 2012, the click rates of phishing emails were approximately 25%. In 2019, the click rates were only about 3% because of a better understanding of phishing and more comprehensive training of end-users.

Considering the magnitude of the threat from phishing, one security awareness training per year is not enough. Though yearly training may satisfy the HIPAA minimum requirement for compliance, it isn’t enough to minimize the chances of a successful attack to an acceptable level. Workforce security awareness training must be a continuous process, with routine training given all through the year along with phishing simulation exercises by employees. By means of training and phishing simulation exercises, the possibility of phishing attacks can be significantly diminished.

This Cybersecurity Awareness Month, CISA has created a tip sheet to help people fight the phish.