The FBI has calculated that around 12 billion dollars are lost yearly to phishing scams. A company has about 27% change of being a target of a serious scam in the next two years and looses on average 3.8 million dollars. 30% of phishing attempts succeed with 93% of them arriving via email and around 150 million phishing emails sent on a daily basis.

While remote work has increased the flexibility companies and employees have to perform their task independent of their location, it has also increased the risk of phishing attacks as we become more permissive and require more cloud functioning apps.

A recent publication by James Ringold, Enterprise Security Advisor at Microsoft Cybersecurity Solutions, warns that one of the biggest problems with phishing is that the techniques used continuously change so while education remains key, it also needs to be addressed in an ongoing basis to keep updating employees on the evolving risks. Here is list from Ringold’s publication of some recent phishing techniques employed by scammers, that you could be on the look out for:

  • Mass market phishing: When you think of phishing this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, and then use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: Vishing is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.

 

While phishing will continue to adapt and will probably remain a risk, there are various actions you can do to mitigate the risk:

  • Always focus on prevention and education, specially to identify a consent phishing message. There are redflags like poor spelling and grammar, the address doesn’t fit the usual domain or that the URL doesn’t quite look right.
  • Promote and allow access to apps you trust and have systems set up in place to grant access to new apps.
  • Have back-ups and recovery steps set up in place in case of an incident.
  • Educate your organization on how permissions and consent framework work in the Microsoft platform. And give visual cues and examples on how to detect scams.
  • Have a process in place to document incidents and responses.

 

These recommendations are relevant to all industries but particularly relevant to industries that weren’t “cloud-ready” or companies that were slow to migrate to the cloud on account of corporate policy or unfamiliarity with cloud security and how on-premises architecture/tools translate to the cloud, such as medical or government entities.
If you have any questions regarding security strategies or best practices that you may implement in order to protect your company data/users from phishing attempts, do not hesitate to contact us. It would be our pleasure to serve you.

Further reading: