When it comes to finding security holes in a company's information system, cyber criminals use the path of least resistance that leads to the biggest reward – the employee. According to Verizon’s 2020 Data Breach Investigations Report, which analyzes security incidents that occurred in the previous year, phishing was the most common tactic used that caused data breaches.
In this article we cover:
How phishing emails are impacted by the coronavirus pandemic
How to reduce phishing attacks
A common phishing scenario is to bait an employee into clicking on a malicious link in a seemingly safe email. Unfortunately, because so many untrained employees automatically trust links as safe, sending phishing emails to just 10 employees will get hackers inside corporate defenses 90 percent of the time, according to an earlier Verizon DBIR.
In fact, users take the bait quickly, with 11% of victims clicking in the first minute and increasing to more than 50% within an hour, according to one security report. Time is not on your side when it comes to detecting and reacting to phishing events.
So clearly, for all the sophisticated security technology that companies utilize to protect themselves and their data from hackers and other threats, the biggest threat to organizational security remains the people.
Unfortunately, things have only gotten worse during the novel coronavirus pandemic. According to a report on phishing by Google, phishing sites detected by Google are up 350% since the beginning of 2020.
Naturally, we’re big advocates of security awareness training and think it’s a necessity for anyone who handles sensitive digital information or uses information systems. But as you consider your next steps, here are 7 straightforward tips for your staff to adopt today to reduce the success phishing attacks.
Check the Sender’s Email Address
Whenever you receive an email, always check the sender’s address. Confirm it is from someone you know and trust. But be wary, phishers can fake (spoof) the displayed “From Address” to make it look like a trusted source, when it is not.
Don’t Click on Links in Messages
The safest course of action – don’t click on links in emails, in phone text messages or in social media. The web site you are taken to may be malicious. If you must click, carefully examine the destination before clicking. On a computer, hover over the link to see the real destination. Alternately, use a bookmark in your browser, or use a search engine to find the destination.
Never Enter Financial, Authentication or Personal Information
Many phishing emails direct you to web pages that ask for your financial or personal information, or your account login credentials. A good practice is never type in any sensitive information into a web page accessed by a link in a message sent to you.
Protection through Software
Run anti-malware software to protect against phishing attacks. In addition, keep important software (e.g. operating systems, mobile devices, browsers, office productivity suites) updated to protect against vulnerabilities.
Access Sensitive Accounts Over HTTPS or VPN
Make it a habit to always check that the addresses of websites start with an https://, ensuring your information is protected when transferred between your browser and the web site. Whenever possible, use your organization’s Virtual Private Network (VPN) when transferring sensitive business information, it is even more secure than HTTPS.
Never Open or Download Files from Unreliable Sources
Be suspicious of attachments to emails sent from unknown sources, they are often malicious. If unexpected, even if you trust the sender, confirm directly they sent you the file. If downloading from the web, always go to a known and trusted authority. Furthermore, always scan all files with anti-malware software before opening.
Conduct Regular Phishing Training
Finally, the best defense against phishing is to train your employees to recognize and avoid phishing attacks by conducting regular phishing simulations. Phishing simulators are powerful tools as they enable you to create and schedule phishing campaigns, track employee behavior, and automatically give at risk employees targeted training.