Your Company Could Be Contributing to Phishing Risk Without Knowing It
Phishing can be tied to just about every kind of cyberattack from ransomware to credential theft to fileless attacks.
Most of these attacks need to be launched in some way by a user. For example, the attacker can send a malicious file filled with ransomware to you through email. But if that message sits there or gets deleted without the attachment being opened, the malware won’t be launched. It’s rendered inert.
This is why hackers and large state-sponsored criminal groups will use elaborate phishing hoaxes to trick users into opening malicious file attachments or clicking on dangerous links. They need their participation for the attack to be successful.
Not only is phishing a growing threat, but organizations are also doing worse at combatting it. For example, in 2020, 57% of companies indicated experiencing a successful email-based phishing attack. In 2021, that number increased to 83%.
There are a number of reasons for this troubling statistic. One is that phishing attackers are deploying ever more sophisticated tactics that personalize emails, making it more likely that users will fall for them.
Another reason is that businesses will often do things that exasperate the phishing issue, actually putting their company at higher risk.
Here are some of the common mistakes companies make that increase their risk of falling victim to a phishing attack.
Forwarding Emails to Assistants & Other Employees
When an employee receives an email from their boss, even a forwarded email, it takes on a much higher importance level. The employee feels they need to take action on this item right away, or they could get into trouble for not being responsive.
Upper-level managers and executives get phishing emails, just like everyone else. But they may feel they’re too busy to figure out what the email is about or if it’s legitimate, so they’ll forward that email to an assistant or another employee they manage.
This makes the employee much more likely to fall for that phishing email for several reasons:
- They see the forward as a directive to take care of whatever the email is about
- They think the email is legitimate, otherwise, it would not have been forwarded to them
- They feel an increased sense of urgency to handle the email because it came from their boss
No matter what the position, you should not forward suspicious emails to another person in your company without any explanation. It’s best to work with a trusted IT provider, like AhelioTech. We can review any questionable messages and let you know if they’re dangerous.
Leaving Important Details Out of Your Training
Most companies will hit on many important items when it comes to phishing detection, such as telling users to hover over links before clicking them and not trust emails that are unexpected.
But they often only give users half of the knowledge they need to be fully prepared to detect phishing when they see it via email, text, or social media.
For example, the top keywords used in phishing emails and the most common subject lines are critical training subjects to fully prepare your staff.
Top 5 keywords used in phishing email subject lines:
- Urgent
- Request
- Important
- Payment
- Attention
5 common subject lines used in phishing are:
- IT: Annual Asset Inventory
- Changes to your health benefits
- Amazon: Action Required | Your Amazon Prime Membership Has Been Declined
- Google Pay: Payment sent
- RingCentral is Coming!
Overloading Employees With Too Much Work
When people have less time, they make mistakes. So, if you are assigning too much work and overloading employees with tasks up against an impossible deadline, they’re not going to take time to review a questionable email as they should. They will see that as a lower priority to all their other work.
This can leave your network at a higher risk because more employees will accidentally click a malicious link or open a dangerous attachment because they didn’t have time to look over the email thoroughly.
Build a culture of IT security and make security a priority. Emphasize this when assigning tasks and invite a two-way dialog so employees feel comfortable admitting when they’re overloaded, without fear they’ll be seen as “troublemakers” or not giving their all.
Ignoring Phishing via SMS
While email is still largely used in phishing attacks, phishing via text message (Smishing) is quickly catching up in popularity. In 2020, smishing attacks rose 328%.
It’s important to address phishing via text message in your employee security awareness training. Many users will not yet be on the lookout for smishing. It can also be harder to detect because SMS typically uses shortened URLs, which obscure the true destination.
Schedule a Phishing & IT Security Audit Today
How well prepared is your company to fight off phishing attacks? AhelioTech can do a phishing and IT security audit for your Columbus area business to let you know where you stand.
Contact us today to learn more. Call 614-333-0000 or reach out online.