Phishing attacks have brought us a long way from the more basic and obvious but just as serious threats like the ‘Nigerian Prince’ scam. While this particular ploy was amazingly able to garner more than $700,000 in reported profits in 2019, there are more dangerous and extremely convincing scammers invading your clients’ inboxes today. Unfortunately, most people don’t seem to be getting any smarter at identifying phishing attempts, with almost one-third of data breaches in 2018 originating from a phishing email.
MSPs know the threat is real, and so do your customers, but why do so many people continue to fall for these scams? A lot of it comes down to education and training. Those who buy into these programs, pay close attention to the details and adopt the best practices are typically much more successful at spotting and reporting suspicious messages to the IT professionals who can neutralize the threat.
It’s not always easy to get your clients’ employees to understand their role in stopping these attacks. What’s in it for them? Many companies don’t empower their employees and make them responsible for monitoring potential phishing schemes or don’t penalize them when things go wrong. Incentives can help change those behaviors but compliance must start from the top, with the owners or C-level executives adopting best practices and leading by example in their own actions.
The first step is ensuring everyone understands the threats associated with email messages. Here are five things your clients need to know about phishing to minimize their risk profile.
1. Today’s phishing attacks are advanced
The first thing your clients need to know is that scammers use social engineering to craft these messages. Savvy cybercriminals are imitating known brands such as Amazon and Paypal, as well as business partners and coworkers. The more legitimate-looking and sounding the message, the more likely it is that recipients will open an attached file or click on a link in the text. What’s the moral of the story? Question everything, especially when the sender requests money transfers or login credentials.
2. Cybercriminals use many methods and designs
While employees may face many types of phishing attacks in their personal email systems, organizations are most often targeted with spear phishing, whaling, and business email compromise (BEC). Let’s take a deeper look at the most common methodologies.
- A Spear Phishing attack sends a message from a known or trusted sender to an individual. Cybercriminals may research their target for some time and wait to catch them off-guard. For example, an incoming message may mention a recent conference the victim attended and encourage them to click on a link to complete a survey or claim a prize.
- Whaling goes straight for executives to get them to divulge sensitive information or data. Cybercriminals often go for the ‘biggest fish’ to reap big rewards as quickly as possible, ensuring they can gain access to high-level data, preferably proprietary and financial information.
- Business Email Compromise switches it up by impersonating executives, especially those in finance or others with the ability to make large wire transfers. BEC first gains access to an execs email either by spear-phishing or through an existing vulnerability, and once in the system, they monitor the victims’ mannerisms to imitate writing patterns and contacts. The goal is to uncover the various roles and responsibilities in the organization and identify new targets they can attempt to dupe into providing key information or transferring money to different accounts.
3. Phishers don’t discriminate by business size
Like many other cybersecurity issues, many SMB’s don’t see themselves as worthwhile hacking victims. However, this assumption couldn’t be more wrong — scammers understand that the decision-makers in small organizations often think they’re immune and won’t likely have top-notch security and training, which makes them the perfect target. According to Verizon’s Data Breach Investigation Report, 43% of all data breaches are in the SMB community.
4. One training session isn’t enough
Phishing is not going away anytime soon, and scammers are constantly coming up with new ways to trick users. With that in mind, your clients must go through constant training to improve employee awareness and the company’s overall defensive game. That’s a must-have process for any organization today with the quickly changing threat environment. Workers also may not remember their lessons without regular usage and periodic testing of the various methods.
5. Recognizing a phishing email doesn’t have to be difficult
While scammers are becoming more adept at social engineering, there are still some tell-tale signs that every end-user should be able to spot. The first point of focus should always be the email address. For example, a phishing message may have a very familiar-looking address, but with closer inspection, recipients might note an extra or missing letter or a different URL. Spelling errors are another sign of a potential threat. While phishers seem to be spending more time fixing those obvious mistakes these days, many of the budget-conscious criminals from areas of the world where English is not the primary language continue to struggle. Finally, ensure your clients’ employees pay extra attention to messages in which money is involved. Is the boss asking for cash to be transferred to a different account? A process to double-check those requests should be mandatory (and require a second sign off person when possible).
Opportunity for MSPs
As an MSP, your preferred outcome would likely be to offer every client the solutions needed to neutralize potential phishing threats completely. While email security applications can help catch common threats, there is no way to completely ‘people-proof’ any system. Cybercriminals understand users are the weak link and change tactics regularly to exploit human vulnerabilities.
People tend to take short-cuts when busy, and phishers take advantage of the timing to ensure their messages ‘slip through the cracks.’ With continual education, security monitoring, and effective email protection, your team can help turn the tide on cybercrime while boosting the firm’s recurring revenue streams.