Phishing attacks are becoming more convincing, common, and damaging. Although most people are aware of the threat, you only need to let your guard down for a moment to give hackers everything they need to drain your accounts or compromise your computer systems. Brokers can help their clients by educating them on the best ways to avoid phishing attacks.
The State of Phishing
In 2022, 84% of organizations experienced a successful phishing attack, according to Proofpoint. Whereas many of these attacks occurred via email, phone attacks have become more common. Phishing attacks often work because they appear to be from legitimate organizations. In 2022, 30 million phishing messages spoofed Microsoft and its various products. Hackers also frequently impersonated Google, Amazon, DHL, Adobe, and DocuSign.
Once hackers have accessed the information they need, they can proceed to divert funds, install malware, or steal sensitive data. According to IBM X-Force, phishing is the top infection vector, with 41% of attacks starting this way.
Phishing Attacks May Be Surprisingly Sophisticated
Whereas some phishing attacks are easy to spot, others are more convincing.
Spear phishing attacks target an individual and may include the recipient’s name and other information. McKinsey & Company says spear phishing attacks have increased seven-fold since the start of the COVID-19 pandemic.
The National Cyber Security Centre (NCSC) says hackers are using QR codes in phishing emails because people may be less suspicious of them than they are of shortened links and because many security programs don’t scan images. Another tactic hackers use is thread hijacking, in which they impersonate someone in an existing email conversation. IBM X-Force says these attacks increased 100% per month over 2023.
Emerging technology may make phishing attacks even more convincing. TechTarget warns that generative AI can make phishing attacks appear authentic by eliminating grammatical mistakes and spelling errors and adopting more professional writing styles.
Safeguarding Against Phishing
When successful, a single attack can be devastating. IBM says the global average cost of a data breach has been increasing, reaching $4.45 million in 2023. These attacks drive up cyber insurance prices and make coverage more difficult to obtain. Both insurance companies and policyholders have a vested interest in preventing attacks. Brokers can help by sharing tips and resources.
1. Share current best practices.
Organizations can strengthen their cybersecurity by training all workers, not just those involved in IT. Individuals can also reduce the chance of becoming a victim by seeking out the latest warnings and best practices.
Microsoft has tips on how to spot phishing messages, such as watching out for urgent calls to action, threats, bad grammar, mismatched email domains, generic greetings, and suspicious links or attachments. IT Governance recommends being wary of emails that appear to be from a large company but that use an @gmail.com email address.
2. Test workers.
Organizations may send out countless warning messages to employees, but it’s difficult to know whether the information is sinking in. For this reason, many companies implement phishing tests, in which they send out phishing messages (without malware) to see how their employees respond. If workers fall for these messages, they may also fall for messages from hackers with nefarious intentions, meaning they need more training.
3. Use email firewalls.
Many people are bombarded with phishing emails. Even if they don’t fall for these attacks, they may end up wasting their time. Plus, the high volume of emails makes it easier to miss legitimate and important emails.
Email firewalls filter incoming emails to remove spam messages. This is a good first line of defense.
4. Flag external emails.
It may appear as if someone within the company has sent the phishing email. Flagging external emails makes it clear that these emails are, in fact, from an outside source. Microsoft 365 at Work shows how to add an external sender warning to emails using the Microsoft 365 admin center.
5. Implement multifactor authentication.
When combined with strong passwords, multifactor authentication provides another layer of defense against phishing attacks and other unauthorized attempts to access accounts. Many cyber insurers require multifactor authentication as a basic security measure.
6. Create reporting procedures.
If employees accidentally reply to a phishing message or click on a link, quick action can mitigate the damage. In some cases, employees may not think that any harm has come from the action, but the consequences of the attack may not be immediately obvious. Employers should provide a reporting method for all incidents or potential issues.
In the UK, companies and individuals can also report scam emails, phone calls, text messages, and websites to the NCSC.
7. Help your clients secure cyber insurance.
If an attack is successful, cyber insurance can help victims recover. First- and third-party insurance covers cyber incident response costs, social engineering, network security and privacy liability, and more.
Costero provides tailor-made products for both commercial and personal cyber insurance. Learn more.