Some of the most devastating cyberattacks in history, including incidents like the Colonial Pipeline ransomware disaster, started with a humble phishing email. Phishing is the type of cyberattack employees see the most by far. Phishing is an easy way for bad actors to obtain passwords, user data and other credentials, enabling them to undertake other cybercrime operations like business email compromise or deploy ransomware. Cybercriminals also love phishing because it has a low barrier to entry, it’s cheap and it’s effective. They don’t even need special skills to undertake a phishing operation – plug-and-play phishing kits and Phishing-as-a-Service operations make it a breeze for anyone. An estimated 75% of organizations in the United States were hit by a phishing attack that resulted in a data breach in 2020.
Phishing is the #1 Threat to a Company’s Data and It’s Budget
Phishing is not only the most dangerous security risk that employees encounter daily, it also costs businesses a fortune every year. The 2021 Ponemon Cost of Phishing Study laid out the damage, with researchers reporting a colossal increase in the cost of a phishing attack for businesses. The same researchers also reported that the cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing – and it’s easy to see why when you know the facts about phishing.
Facts About Phishing That You Need to See
- 95% of attacks on business networks are the result of successful spear phishing.
- 80% of IT professionals saw a substantial increase in phishing attacks in 2021.
- 1 in 3 employees are likely to click the links in phishing emails.
- 41% of employees failed to notice a phishing message because they were tired.
- 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.
- An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email.
- Phishing remains the top data breach threat for the third year in a row.
- The cost of phishing attacks has almost quadrupled over the past six years.
- 80% of reported security incidents are phishing-related.
Employees Can Spot and Stop Phishing Messages if They Know What to Look For
Phishing can be tricky to spot, even for seasoned professionals. As phishing messages grow more sophisticated, it’s a real challenge for the average employee to determine if a message is legitimate or phishing, and many companies don’t have the support in place to minimize the risk of an employee making a mistake. An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email. Arm employees with the facts about phishing messages and what they look like including these red flags that could indicate an email is actually a phishing attempt.
Is the subject line accurate? Subject lines that feature oddities like “Warning”, “Your funds has” or “Message is for a trusted” should set off alarm bells. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected elements like emojis or other things that make it stand out from emails you regularly receive from the sender, it’s probably phishing.
If the greeting seems strange, be suspicious. Is the greeting in a different style than you usually see from this sender? Is it generic when it is usually personalized, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate.
Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. For example, If the message says it is from [email protected] instead of [email protected], you should be wary.
Word Choices, Spelling & Grammar
This is a hallmark test for a phishing message and the easiest way to uncover an attack. If the message contains a bunch of spelling and usage errors, it’s definitely suspicious. Check for grammatical errors, data that doesn’t make sense, strange word choices and problems with capitalization or punctuation. We all make the occasional spelling error, but a message riddled with them is probably phishing.
Does this look like other messages you’ve received from this sender? Fraudulent messages may have small variations in style from the purported sender’s usual email style. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. They’re common indicators of phishing.
Using malicious links to capture credentials or send victims to a web page that can be used to steal their personally identifiable information (PII) or financial information is a classic phishing scam. Hovering your mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you have interacted with it, definitely don’t provide any information on the page that you’re directed to because it’s almost certainly phishing and could infect systems with malware like ransomware.
Never open or download an unexpected attachment, even if it looks like a normal Microsoft 365 (formerly Office) file. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions.
Is this someone or a company that you’ve dealt with before? Does the message claim to be from an important executive, politician or celebrity? A bank manager or tax agent you’ve never heard of? Be cautious about interacting with messages that seem too good to be true. Messages from government agencies should also be handled with care. Phishing practitioners love using fake government messages. In the United States, the federal government will never ask you for PII, payment card numbers or financial data through an email message out of the blue – that’s phishing.