Preparing for Evolving Phishing Scams
Phishing scams continue to top the list of cybercrimes. Unfortunately, it’s likely 2022 will continue this trend as these types of social engineering attacks become more sophisticated. The statistics are alarming. Phishing attacks account for more than 80% of reported security incidents. In fact, 74% of organizations in the U.S. have experienced a successful phishing attack. Companies need to remain vigilant and proactive by having a defense plan in place.
In the next year, phishing will continue to be cybercriminals’ preferred method of attack. It’s possible that phishing attacks may even compromise infrastructure. Organizations will need to budget accordingly and anticipate spending more funds on preventative measures than they did in 2021.
Phishing Gets Creative
Here are some of the techniques companies should be on the lookout for as cybercriminals grow more cunning. Spoof emails will become more difficult to differentiate from authentic ones. Clever subject lines may alarm email users with messages such as “Changes to your health benefits” or “Unusual login detected.” Other popular modes of attack could revolve around declined memberships, fake calls-to-action regarding subscriptions, and billing and payment alerts.
Additionally, cybercriminals are getting savvier with their use of deceptive links. Unsuspecting users may be tricked into clicking on links that then send them to malicious websites. Social engineering attacks will also promote phishing attacks to a new level. Tactics using artificial intelligence, such as cloning someone’s voice to get them to reveal sensitive information, will become more commonplace.
The Best Defense is a Good Offense
The good news for organizations is that they can protect themselves from these increasingly sophisticated phishing attacks by using artificial intelligence (AI), email security and cybersecurity training.
The first line of defense is to invest in AI-based prevention tools that monitor and scrutinize email communications. An effective AI solution analyzes behaviors such as the devices’ external senders and employees, use, who they message, what time of the day they communicate and the locations from which they do so. This information is then used to generate profiles of trusted email senders and then compares incoming emails to these profiles to authenticate the sender and detect and prevent sophisticated phishing attempts. AI-based monitoring software can even scan images to detect false login pages and recognize altered signatures and then automatically quarantine malicious emails so the end user never interacts with harmful messages.
Email security is another preventative measure. Technology that offers warning banners and flags suspicious emails is helpful as it allows users to quarantine or mark the message safe with one click. Compromised passwords can act as a gateway for cyberattacks. An identity and access management (IAM) tool combines single sign-on (SSO), multifactor authentication (MFA) and password management into one integrated solution. Passwordless authentication is another way to reduce security risks associated with passwords. This technique verifies a user’s identity using other forms of authentication, including biometrics, such as fingerprints and one-time passwords, which requires users to input a code that is either emailed, sent via SMS or via an authenticator app.
Finally, an organization is only as strong as its people, driving home the need for cybersecurity training. Employees are the first line of defense.
By increasing security awareness, an organization can reduce its chances of having a cybersecurity incident by up to 70%. Onboarding should always incorporate security awareness training, and after that, phishing simulation campaigns should be carried out regularly; at least once a month. While that may seem excessive, research shows that trained employees start losing what they learned at four to six months after each session. With hybrid workplaces more commonplace post-pandemic, about 55% of remote workers rely on email as their primary form of communication, driving home the importance of security awareness training.
Don’t Become Bait
According to the FBI, U.S. businesses lost more than $1.8 billion last year in costs related to business email compromise (BEC) or spearphishing. The bureau also reported adjusted losses of over $54 million attributed to phishing scams. Given that phishing continues to be a preferred method for intrusion, it is reasonable to expect that number will only trend higher. Companies also need to account for costs associated with business disruption, lost productivity and remediation efforts that come with data breaches resulting from successful phishing attacks.
By taking advantage of the full functionality of AI to build a robust security platform that identifies threats coupled with increased email security measures and employee training, organizations can do their part to protect their business from being compromised.
