Even the best technological security measures can be subverted by end users, which is why cyber criminals tend to exploit the weakest link of the security chain: humans. In fact, according to The Human Factor, a June 2017 report by Proofpoint, as many as 99% of email attacks in 2016 relied on people clicking on malicious URLs embedded in email copy rather than on automated exploits, such as malware.
One reason for this trend might be the fact that anti-malware software is increasing in sophistication and able to stop any attempted malicious activity before emails are even opened. Humans are far easier to fool.
How a phishing email works
The report declared that “more than 90% of messages led users to credential phishing pages”. Using fabricated claims like “someone tried to get access to your account, please click on the link below to reset your password” or “you are entitled to a tax refund, click on the link below to redeem it”, criminals lure recipients into clicking a malicious URL, which leads them to a phishing site masquerading as a legitimate one – such as their bank’s website.
And here is where the actual scam takes place. As soon as users enter their usernames, passwords or other details, criminals get them.
Booming business email compromise
The report also noted that while business email compromise (BEC) accounted for only 1% of email scams in 2015, in 2016 the percentage increased to 42%. BEC is a particular type of phishing that targets specific employees in key roles – usually those with access to sensitive data or money. Criminals spoof the email address of a superior (or someone trusted, such as a supplier or bank employee) and send phishing emails ordering the recipients to forward sensitive data or transfer funds.
Strengthen your staff awareness
Raising staff awareness about phishing scams will help protect companies from negative consequences, such as data breaches, systems being held hostage by ransomware, loss of business, money and reputation, and more. Plus, educating staff about phishing and how it works will help them in their personal lives, too, because everyone is a possible target.
Here is some advice:
- Share tips and tricks about how to spot the phishing bait through videos, interactive games and e-learning courses.
- Simulate a phishing scam to test how resistant your staff are.
- Educate staff to report suspicious emails to the security team