A 2016 cybersecurity study in Germany concluded that more than three-fourths of computer users were aware of the dangers of malicious links and malware in emails from unknown sources. Yet they clicked on those links anyway. When asked why they clicked on a link, common responses included that they were simply curious, or that they believed their workstations would protect them from malicious applications. Even cyber-security experts have been tricked into clicking on links that are in emails purporting to come from legitimate sources.
In the hacker’s world of cyber-crime, email phishing attacks are often the first step toward infiltrating an otherwise secure corporate network. Those attacks come in many common forms, including:
- requests to wire money to someone that the recipient knows and who claims to be in trouble at some location away from his or her home;
- solicitations from well-known news agencies, such as CNN, directing the recipient to open a link in order to read a news story;
- emails that appear to originate with government entities, directing the recipient to open a link to verify bank balances or other information;
- threats that someone will be harmed if money is not sent;
- confirmation of complaints or comments supposedly sent by the recipient.
Busy employees and unsuspecting individuals often do not give much thought to these types of emails when its message piques their curiosity and they open a forwarded link, which can lead to any number of problems. Cyber-criminals have also become very adept at drafting email messages that have all the elements of legitimacy.
Consider, for example, the employee of an Oklahoma school district who opened an email that appeared to come from a superintendent, asking for tax information on all of the district’s teachers and other employees. The recipient readily complied, sending salary information and Social Security numbers for more than 1,000 employees that the hackers could then use to file false tax returns. Further, it is not just smaller entities that fall prey to phishing attacks. In April 2017, the U.S. Department of Justice charged a foreign individual with scamming more than $100 million from Google and Facebook through a series of phishing attacks.
Cyber-security experts recommend that organizations enact multi-faceted defenses against evil email phishing attacks, including:
- Updating all software regularly to install patches and bug fixes that guard against malware. Anti-virus software and other protective mechanisms can become outdated very quickly as hackers develop new tools and techniques that are designed to avoid their shields. Keeping software updated will protect a network against known threats.
- Using a password manager that changes passwords frequently. Even if a hacker can steal passwords that work within a network, the value of those passwords disappears when they are changed.
- Verifying emails with the sender before clicking on a link in an email message. Rather than replying directly to the email, the recipient should use the address and contact information in his or her own address book to send a message requesting verification.
- Uploading an attached document into an application that translates it into an HTML image. This prevents a network from opening the attachment, which might then release a malware application into a network.
- Educating and training employees regularly to maintain their awareness of the problem. Preventing employees from opening suspicious links is often the most difficult defense to implement on a regular basis. That training can be as simple as keeping employees up to date on relevant cybersecurity terms, including “phishing” and “ransomware”. An employee who does not understand or appreciate the risks is often the biggest danger to any organization.
In the event that an organization’s defenses against malicious email do fail, the final protective mechanism is a robust cyber-security insurance policy that can cover the organization’s direct losses and its liabilities to third parties that might arise when the organization loses their information in a phishing scam.