Despite spending billions on technology designed to combat the threat, phishing scams continue to exact a heavy toll on organizations. In fact, some say it's not a matter of if someone in your organization will receive a phishing email, but when. The most effective phishing emails play on human nature by creating some form of urgency or even panic in the recipient, starting with an email subject line that entices the user to open it. According to Symantec, emails that deliver fake invoices remains the most popular method of hooking recipients and tricking them into opening phishing emails laced with malware.
Regardless of how cybercriminals trick recipients into opening infected emails, the Verizon 2017 Data Breach Investigations Report noted that 43 percent of breaches involved phishing. Research conducted by PhishMe also found that a staggering 91 percent of cyberattacks started with phishing.
Phishing Prevention Tips
While cybercriminals continue to use seemingly legitimate emails to deliver malware and infect corporate networks, preventing phishing attacks requires a sustained, multi-pronged approach.
Invest in IT
Technology plays an important role in identifying and blocking phishing attacks. Ask your IT department for an assessment of its ability to block phishing attacks, including the types of technology they have in place and their effectiveness. If they lack the tools to inspect email traffic and strip suspicious URLs before they land in employee inboxes, for example, ask them to provide an estimate of the cost to purchase such a tool.
Educate employees on the dangers of phishing
Successful phishing attacks depend on employees opening infected emails. Educate employees on phishing schemes using real-world examples of breaches at other companies. Use every channel within your organization to help employees learn how to avoid opening phishing emails including business newsletters, the intranet and email.
Ask employees to limit personal data shared via social media
When employees post birthdays, their home addresses, and phone numbers, etc. online, they provide cybercriminals with data to develop targeting phishing schemes known as spear phishing. For example, if an employee includes their birthday in their LinkedIn profile, criminals may send them an infected email wishing them a happy birthday.
Businesses rely heavily on email. Until that changes, cybercriminals can use phishing emails to insert malicious files designed to capture sensitive data. Preventing malicious emails from landing in employee email inboxes relies on technology. However, cybercriminals always seem at least one step ahead of the latest security technology and approach. Therefore, in addition to technology, stopping phishing in its tracks requires employees to exercise caution when opening emails. Pausing just a few seconds can make the difference between an infected email facilitating a breach or ending up in an employee's deleted items folder.
Stay up-to-date on the latest human capital management insights for finance leaders: subscribe to our monthly e-newsletter.
SIGN UP FOR THE BOOST NEWSLETTER