don't go phishing, Team Venti

The FBI has calculated that around 12 billion dollars are lost yearly to phishing scams. A company has about 27% chance of being a target of a serious malicious email in the next two years and loses on average 3.8 million dollars.

30% of phishing attempts succeed with 93% of them arriving via email, and around 150 million phishing emails sent on a daily basis.

While remote work has increased flexibility, companies and employees have to perform their task independent of their location. It also increased the risk of phishing attacks, as we become more permissive and require more cloud functioning apps.

A recent publication by James Ringold, Enterprise Security Advisor at Microsoft Cybersecurity Solutions, warns that one of the biggest problems with phishing is that the techniques used continuously change. While education remains key, it also needs to be addressed on an ongoing basis, to keep updating employees on the evolving risks.

Here is a list from Ringold’s publication of some recent phishing techniques employed by scammers, that you could be on the lookout for:

  • Mass market phishing: When you think of phishing, this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, to conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, to use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: It is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.


While phishing will continue to adapt and will remain a risk, there are various actions you can take to mitigate the risk:

  • Always focus on prevention and education, especially to identify a consent phishing message. There are RedFlags with poor spelling and grammar, the address doesn’t fit the usual domain, or the URL doesn’t quite look right.
  • Promote and allow access to apps you trust, and have systems set up in place to grant access to new apps.
  • Have back-up and recovery steps set up in place in case of an incident.
  • Educate your organization on how permissions and consent framework work in the Microsoft platform. And give visual cues and examples on how to detect frauds.
  • Have a process in place to document incidents and responses.


These recommendations are relevant to all industries, but particularly relevant to industries that weren’t “cloud-ready”, or that were slow to migrate to the cloud on account of corporate policy, or unfamiliarity with cloud security and how on-premises architecture/tools translate to the cloud, such as medical or government entities.
If you have any questions regarding security strategies, or best practices that you may implement in order to protect your company from phishing attempts, do not hesitate to contact us. It would be our pleasure to serve you.

Further reading: