The cost of a phishing attack is high. In 2015, the average 10,000 employee company spent $3.7 million in dealing with phishing attacks according to a study by the Ponemon Institute. Smaller company damages can run into the tens of thousands. About half the costs to companies were due to productivity losses.
The frequency and sophistication of phishing attacks increased significantly in 2017, and the trend is expected to continue in 2018. While low-level, temporary, or untrained employees most often fall victim to these attacks, even highly skilled Information Technology and Security personnel can be victimized by carefully crafted emails.
How do you improve your security posture if annual training isn’t enough?
Don’t misunderstand this point. Training is necessary and even required in some industries, but it’s not a panacea. Remember the multi-faceted approach mentioned earlier? Training is part of that approach. Training programs do help prevent phishing attacks—by 64 percent on average, but training alone is not a silver bullet. Simulated phishing attacks should be used as part of employee training. Simulated attacks can be an effective complementary training tool that costs far less than an actual successful phishing attack and does no actual harm. TRUE’s Email Phishing Social Engineering Assessments are a useful way to test the effectiveness of your Security Awareness Training Program, provide real-world examples to illustrate the risks of falling prey to social engineering attempts, and enhance the training experience by making it more relatable to employees.
Wait a second, what exactly is email phishing?
Email phishing is the practice of sending email messages that look as if they are from reputable companies or legitimate contacts to entice individuals to reveal passwords, account information, credit card details, or high-value personal or corporate information. These email messages use a sense of urgency or threats to coerce the recipient into: clicking a link that connects him or her to a legitimate-looking login page that collects usernames and passwords, opening a malicious attachment that infects the computer with malware, or responding directly to the sender with sensitive information. More sophisticated attacks may request credit card or financial account information, Social Security numbers, or other confidential information from the target.
Beyond phishing tests, what are other effective phishing prevention strategies I should consider?
True recommends considering the following effective strategies:
- Adding a header to all emails coming from outside the organization
- Email sandboxing
- Real-time network intrusion detection
- Performing regular organizational penetration testing
- Adjusting your junk mail threshold to filter out more unwanted messages
- Implementing multi-factor authentication for legitimate sites and services
Adding a header to all emails coming from outside the organization is probably the easiest and lowest cost phishing prevention control. The idea here is to help employees identify emails from outside the organization. This is useful, for example, when a phishing attack uses a fake email domain that appears to be close to the internal email domain. For example, if your email address is firstname.lastname@example.org, a phisher might set up the domain examp1e.com and send phishing emails from email@example.com. Well-intentioned users might not notice the number ‘1’ replacing the letter ‘l’ and believe the email came from within the organization. Adding an email header will help users identify these fake domains. We have seen companies inject “[EXT]” in the beginning of the email subject line, while other companies inject text at the top of the email saying, “Warning, this email comes from an external domain. Please do not open attachments or click on links from an unknown origin.” This text is often in red to make it extra visible.
Email sandboxing involves implementing technology that checks the safety of an emailed link when a user clicks on it. This technology prevents users from clicking on links that take them to lookalike sites that collect usernames and passwords and also prevents users from landing on sites that deliver malware through browsers.
Real-time network intrusion detection can help identify the attack as it occurs, limiting the corresponding damage. Specialized network devices monitor malicious executables or malicious traffic patterns that can indicate a phishing exploit. TRUE offers a Managed Network Security Monitoring Service where seasoned security analysts do all the heavy lifting and watch your network 24x7x365 to detect signs of compromise. Learn more about our Managed Network Security Monitoring Service.
Adjusting your junk mail (spam) filter on your email server will enable you to reduce the number of malicious messages that ever land in user mailboxes. Although common email clients such as Outlook do some junk mail filtering, administrators can tweak filter settings at the server so that users are never aware of the messages targeting them.
Enabling multi-factor authentication for your legitimate services and sites will help prevent credential-theft phishing from being effective. Most phishing attacks target the user’s password alone. Without the second factor of authentication, the attacker will not be able to utilize the stolen credentials. Additionally, if a user is passed to a fake site with no secondary authentication factor required to login to the site, the user may become alerted that the site is fake.
Successful phishing attacks are expensive to experience and to mitigate. A bit of prevention is a prudent approach to protecting your company and your employees. To mitigate the risk of phishing attacks, TRUE recommends a multi-faceted approach that includes technical controls, phishing tests, and thorough employee training.
If you have questions specific to your organization’s phishing challenges, please feel free to contact True.
 Ponemon Institute. (2015, August). The Cost of Phishing & Value of Employee Training [Blog post]. Retrieved from https://www.wombatsecurity.com/cost-of-phishing.