Cybersecurity threats are on the rise, and phishing remains one of the easiest, and most devastating, ways for attackers to infiltrate your business.
Phishing is no longer limited to laughably fake emails — attackers are becoming increasingly sophisticated. Despite the fact that 67 percent of SMBs experienced a cyberattack during the pandemic (according to Keeper Security’s report of 500 senior SMB decision makers) 66 percent still believe that a cyberattack is unlikely and 60 percent do not have a cyberattack prevention plan in place. No company is too big or too small to be hacked and the results can be devastating.
The average cost of a cyberattack on SMBs is $200,000, after which most companies must close shop. Phishing is an issue we all face. So, let’s face it, shall we?
In this guide, we’ll explain what phishing and spear phishing are, how they work, and the practical steps you can take to protect your business.
Phishing is the act of trying to obtain sensitive information (think login credentials and credit card details) from you by an sending email in which the sender poses as a trusted source (Facebook, Netflix, Bank of America) with the goal of financial gain or destroying your hard-earned company's reputation.
Phishing as a whole is large in scope and general in its aim: gathering sensitive information. Imagine a commercial fisherman casting a wide net. He then lies in wait as the fish come in (hint: you’re the fish). The larger the net, the larger the potential harvest.
You can also think of Phishing in terms of recreational pole fishing. The target is not direct. The fisherman does not care if she gets a Sunfish or a Bass or a Trout. She simply wants a fish and her hook is only made sweeter by using bait.
Out of the water and on dry land, Cyber Phishermen use a similar approach by sending out mass emails to cast wide nets and bait their prey. The more Phishing emails attackers send out, the more clicks they will get, resulting in more sensitive information being compromised. These Phishing emails are often baited to lure you in, posing as trusted brands (think Facebook, PayPal, etc.) you feel comfortable with.
You’ve probably seen these (often horrible looking) emails from someone posing as Netflix or Bank of America asking you to reset your password, or claiming that your credit card was declined, right? Look how BAD this one is, posing to be from PayPal but there are several Brandon's as the recipient!
We all get umpteen similar emails daily. Simple requests made to look safe and innocuous. Yet with Phishing, they are anything but. Most of the time these emails are obviously fake. They contain unmatched company fonts or poor spelling and grammar. However, since you almost always notice the glaringly bad phishing emails, you might not notice the really good ones, the ones that get you, like the one below:
The good news? Phishing has become more mainstream. There aren’t many people these days who haven’t taken a comedic dive into their Junk Email to find requests for aid from foreign princes or emails from Bank of America telling you your account needs attention. In our increasingly tech driven world, we are all getting a little tech savvier (and so is our email. Hello Junk folder!). Huzzah!
The bad news? As Phishing has become more mainstream and society has become better at spotting attacks, attackers have had to innovate. How? Spear Phishing.
Spear Phishing is a highly targeted attack on an individual or organization. The intent is far more calculated and malicious in nature than Phishing. Attackers aim to glean extremely sensitive personal or company information (like trade secrets, stock information and more) or install malware on you or your company’s network. How do they do it? Unlike normal Phishing where an email is sent to untargeted masses, Spear Phishers know exactly who they are targeting: you.
Spear Phishing is singular in scope. To continue our fishing analogy, imagine (you guessed it!) a spear fisherman. A spear fisherman is not out lollygagging about waiting for a rustle in a net. They are zeroed in on their prey, stalking them. They know everything: their habits, their locales, their weaknesses. So do your attackers.
Spear Phisherman use existing information you have innocently placed on the internet against you (think social media shares and online profiles). Like a spear fisherman throwing their spear, the aim is exact. So too is the Spear Phisher’s attack on you. You are the target and to their trained hand, you may be an easy one. Even top executives and tech savvy personnel alike who have been trained to avoid cyberattacks have fallen prey to Spear Phishing (think Google, Facebook and Apple, to name a few).
Here is an example using Microsoft’s Office 365 Phishing Attack simulator.
There are only two things that would need to change to make this 100% believable:
How hard was that? All I would need to do to create such an email is:
O.K. Now that we are sufficiently scared to swim in the cyber waters, let’s take a moment to dig a little deeper into our Phishy friends:
The good news: with the right tools and settings, you can drastically reduce your phishing risk. Here are five key steps to take:
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC), are Domain Name Server (DNS) and email protocols that ensure that the sender of the email actually is who they say they are and not pretending to be someone else (which is called being ‘spoofed’).
Read our How to Enable SPF, DMARC, and DKIM blog post for instructions on how to set this up using a free tool we use daily called MxToolbox.
Office 365 ATP protects your organization against phishing attacks and malicious attachments.
A very recent example of ATP's prowess occurred earlier this month when, Microsoft reported "an attacker launched a spear-phishing campaign that lasted less than 30 minutes. Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack.
81% of data breaches are due to weak, reused or stolen passwords, which is how attackers deploy phishing and spear-phishing attacks.Microsoft has made it insanely easy with their Microsoft Authenticator app, approving an MFA request is as simple as hitting ‘Accept’ on your device (even without cell coverage). No more entering randomized codes and toggling between apps, ever.
Read our blog post, Office 365 MFA Setup: Step-by-Step Instructions to set this up.
With Office 365 Message Encryption (OME) you can send encrypted emails to people inside and outside of your company without needing a 3rd party tool regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc). Here is a video of how it works below:
Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), and Post Office Protocol (POP) are communication protocols created between 1981 and 1988, so its pretty old technology. These protocols don't support the multi-factor authentication (MFA) technology we have today and are now considered 'legacy authentication' measures.
This means that it doesn't matter if you have MFA because attacks that use these three channels will bypass MFA, so you have to close these ports!
Don’t be the catch of the day, be the one who got away!
Not sure where to start? Our team can set up these protections for you or guide your IT team through the process.
Schedule a call with us to secure your email, and the rest of your company, today.