Protecting Your Organization from Phishing Social Engineering Attacks
June 20, 2023
Phishing email examples show up in our inboxes every day. For example, there was one that looked exactly like the other emails Jenny Thomas received from her bank. The logo was where it belonged, and the return address included the bank’s website. So when it asked her to click on a link to verify her password, she didn’t think twice. But the email was actually from a hacker in Eastern Europe who now had complete access to her accounts.
Something similar happened to Tracy Cook, who handles payables for your company. An email from a vendor mentioned a security upgrade and threatened to lock your company out if the password wasn’t updated. Tracy unwittingly opened the company’s entire accounting system to another hacker.
What Is Phishing?
Phishing emails are one of the most common types of social engineering attacks. They use psychological manipulation of people to trick them into performing actions or divulging confidential information that may allow fraud or other illegal activity to occur. Phishing is not the only type of social engineering fraud, but experts say it’s the leading cause of security breaches. How can you protect yourself from social engineering?
Phishing is just the latest version of criminal activity involving criminals misrepresenting themselves to lure trusting individuals into sharing confidential information. Before email became common, criminals used phone calls and letters as their primary tools, but the low costs associated with emails and the tendency of average people to trust the messages they receive have dramatically increased the need for phishing prevention. For example, fake websites created in response to the COVID-19 pandemic have been blamed for a 350 percent increase in emailed phishing attempts since early 2020.
Types of Phishing Attacks
There are several types of phishing attacks, but today’s most common include:
- Spear phishing involves sending emails ostensibly from a known or trusted source to induce individuals at a targeted organization to reveal confidential information.
- Whale phishing is similar to spear phishing, but involves attacks focused on senior executives and other key targets.
- Vishing is an increasingly common technique using legitimate-sounding voice mails to provoke a response.
- Smishing uses text (SMS) messaging to lure people into responding.
How Common Are Social Engineering Attacks Like Phishing?
What Is a Common Indicator of a Phishing Attempt?
As cybercriminals become more skilled and sophisticated, preventing phishing attacks becomes more difficult. Watching for common indicators such as these is how to protect yourself from phishing:
Urgency or Threats
Normal emails don’t include threats or demands for immediate action. By urging quick action, the cybercriminal hopes the recipient won’t examine the message closely.
If an email isn’t personalized but asks for personal information, it’s a warning sign.
Poor Spelling and Grammar
Many cybercriminals have a limited command of English, and their phishing emails reflect this. Spotting spelling mistakes and odd grammar is a major way to prevent phishing attacks.
When you receive a suspicious email, check the address of the source as well as any links or domain names. If a message claims to be from Microsoft but comes from an entirely different domain, steer clear.
If a request for credentials, payment information or other details seems unusual, it may be a phishing email. Would your IT team really email you to verify your password?
Odd Tone or Greeting
When an email claims to come from a colleague or supervisor but it doesn’t sound like them, or uses a greeting like “Salutations!” or your full name when that’s something they never do, be wary.
If there’s an attachment that doesn’t make sense—such as a purported invoice when you haven’t done business with a company—don’t click on it. Also watch for file extensions like .exe, .scr and .zip, which may launch malware.
How to Prevent Phishing
While companies are eagerly looking for ways to prevent phishing attacks, it’s impossible to block all phishing emails. That’s why the key to phishing protection is using the right strategies.
Phishing Best Practices
Install security software to detect and block phishing emails. Keep the software updated.
- Train employees to recognize phishing emails. Test them regularly.
- Create processes and tools reflecting phishing prevention best practices and ask employees to report suspicious emails they’ve received.
- Remote workers are prime targets for phishing, so implement phishing solutions such as using virtual private networks (VPNs) and requiring encryption.
- Develop a robust backup program that includes frequent backups and storing some offline (to protect you from ransomware).
- Require the use of multifactor authentication to access systems.
- Require the use of strong passwords to make it more difficult for criminals to guess them.
How to Handle Staff Who Fall for Phishing Emails
Phishing emails have become more sophisticated and difficult to spot, which is why training and testing are so important. Be creative with the fake emails you send, varying the format and when you send them. For example, employees may be more alert on a Tuesday morning than just before they leave for the weekend.
If an employee clicks on a link in your test phishing email or a real phishing email, you need the employee to report it. Make sure employees understand that they will not be punished. Employees who are afraid they’ll be reprimanded for making a mistake will be less likely to share the information you need for your email phishing prevention efforts.
Phishing and Social Engineering Fraud Coverage
Basic cyber liability insurance policies may not provide social engineering coverage. For example, if a cybercriminal tricks an employee via email into voluntarily transferring company funds, cyber insurers are likely to consider it as a theft, not a cyberattack. Depending on the carrier, a crime policy or a cyber social engineering insurance endorsement would be needed to protect the company from loss. Learn more about cyber coverage here. If you’re not certain you already have this type of social engineering insurance coverage, check with your broker.
Hylant’s dedicated cyber risk team works with leadership teams, boards of directors, IT staff and risk managers to understand and address their cyber risks from an insurance perspective. We provide risk profiling, exposure quantification, insurance procurement and negotiation, risk readiness and incident response planning services. Working with our clients, we minimize the potential financial and reputational impacts of cyber events on their organizations, helping them prevent phishing and other threats.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.