Ninety-one percent of cyber attacks start with a phishing email, according to a study from PhishMe. And what begins as a simple phishing attack can turn into a full-blown ransomware epidemic, quite literally costing your company millions.
Recent studies have shown that it takes less than 60 minutes for 55% of victims to fall for a phishing scam after the email was initially sent.
So what are the emails that are actually getting through to your company? Security experts provided actionable insights during a recent SecureWorld web conference (available on-demand here).
Phishing tactics have evolved from obscure emails with poorly-worded English and shoddy design to highly sophisticated messages, often with personalized information.
When a phishing scam is relevant to you personally, especially if it's in a timely manner—such as an IRS email during tax season—you're much more likely to click the link.
John Kveragas, Jr., VP of Internal Audit at Zenbanx, explains how attackers will often use LinkedIn to gather personal information about you or your company, or try to connect with you beforehand to establish a level of trust.
“If you don’t know someone on social media, don’t connect with them,” Kveragas advises.
And this isn't something that just the security team should be aware of and put into practice. When it comes to phishing emails, employees are your organization's best line of defense.
After all, the very nature of these attacks plays into the human psyche of wanting to receive something or avoiding conflict.
This is why 18% of the most common email subject lines used in phishing scams are about "free pizza," and 23% are account login alerts (because you either recently did login to the site, or think you've already been hacked).
"Things are just not getting better," says Michael Osterman, Principal of Osterman Research. "Part of the problem is that cyber criminals are getting better," he adds.
A recent survey from Osterman Research shows that only 17% of organizations did not experience some kind of an infection or breach.
His numbers show a downward trend in our ability to properly protect ourselves. The open rate of phishing emails increased to 30% from last year's mark of 23%.
Osterman's research also shows that users aren't being properly trained. Fifty-two percent of organizations don't use the "human firewall" approach, 51% of organizations don't use the "monthly security video" approach, and 41% don't conduct phishing testing on their employees.
“The best technology in the world isn’t going to stop every problem, just like the best security isn’t going to stop every threat,” says Erich Kron, Security Awareness Advocate at KnowBe4.
So what can we do to prevent phishing attacks in our organizations?
Part of what makes phishing so hard to combat is the human element in the threat vector. So make sure there's a human element as well in your attack prevention program.
Don't shame users if they mess up; instead, determine the root cause of the problem. It's a very different scenario if an employee doesn't understand versus just doesn't care.
After all, good security awareness training results in 42% higher ratings for security effectiveness, according to Osterman Research!
