Phishing in Seattle – How to Protect Your Business

A recent article in Dark Reading, a leading cybersecurity news site, stated that more than 90% of malware (such as ransomware) is delivered by email. The cybersecurity experts over at FireEye report that in 1 out of every 101 emails are sent with malicious intent.

But malware isn’t the only threat delivered over email (and, according to the FireEye report, only comprises 10% of malicious emails). There’s also phishing, which tries to steal your login credentials by providing fraudulent information.

Luckily, there’s a new way to block and avoid phishing email attacks using today’s latest cybersecurity tools and training techniques. Get the facts in today’s article.

Your Employees’ Emails Are Under Attack

That Dark Reading article we mentioned earlier also states that the average employee doesn’t go two full days between receiving phishing messages, and it mentions that more than half of malicious emails contain the word “invoice” in the subject line.

This is known as “invoice phishing,” and it’s a huge problem.

“Invoice phishing” is a specific subtype of phishing attack, in which cybercriminals send fake outstanding invoices from well-known companies with a link for you to access and pay your invoice. The link leads to a fake payment page that criminals use to steal your payment data.

Other common forms of phishing include:

  • Payment/ delivery scams– a criminal posting as a vendor you work with requests that you update your payment information and the false page they lead you to steals the info you enter.
  • Tax-themed scams– similar to one of the robocall vishing scams previously mentioned on this blog, criminals pose as the IRS and threaten to take legal action on unpaid taxes.
  • Download scams – a phishing email that contains a document you must open or download, often requiring you to login to a fake login page (and therefore expose your credentials).
  • Business Email Compromise (BEC) attacks – originating from an email address that spoofs (i.e. copies) your organization’s domain, these emails often request a fraudulent wire transfer.
  • Spear-phishing/ whaling attacks– cybercriminals target specific roles or individuals within the company to gain their login credentials, which often results in an undetected attacker siphoning data off of your company over months or years.

As we stated earlier: your employees are receiving these attacks more often than every two days on average – and clicking on just a single one of these can lead to a costly data breach or theft of your hard-earned revenues.

Fortunately, modern tools and techniques can help you prevent these damaging phishing attacks.

The Two Leading Solutions That Enhance Your Email Cybersecurity

To prevent phishing attacks, cybersecurity professionals recommend a two-pronged approach: (1) Use an Office 365 solution built to help you defend against phishing emails, and (2) train your employees not to click on the small number of malicious emails that slip through the cracks.

Let’s talk about these options.

  1. Stop Phishing at the Source with Office 365 Advanced Threat Protection

To combat the threat of email cybersecurity issues, Microsoft released Office 365 Advanced Threat Protection (ATP), which protects you and your staff from harmful links, malicious attachments, and spoofed emails used in a BEC attack.

  • ATP Safe Links verifies all links at time of click to ensure that links are safe. If a link is found to be malicious, it is immediately blocked, preventing you and your staff from accidentally clicking.
  • ATP Safe Attachments opens each email in a virtual Windows setup in the cloud and then opens up all attachments to see if they’re malicious. This tool actually defends against malware and doesn’t have much to do with phishing, but since Microsoft calls this tactic “detonating” the attachments, we had to include it for its cool jargon. 😉
  • ATP Anti-Phishing uses machine learning technology to identify impersonations of your users and domains, which are also known as “email spoofs.” This helps prevent those Business Email Compromise attacks we mentioned earlier.

If the email and its attachments pass these virtual tests, the email is passed along to you or your staff for safe access. If the email doesn’t pass these tests, it’s blocked to protect you, your employees, and your business data.

  1. Phishing Avoidance Training

Office 365 ATP is impressive and stops a lot of malicious email attacks… but no software is 100% perfect all the time. There’s always a chance that a really crafty phishing email will manage to elude the anti-phishing tool – and if that were to happen, you’d have an active email threat inside your system.

Your last line of security defense is your employees, which is why most careful business leaders also choose to train their staff to identify and avoid clicking on phishing emails.

The best way to educate your employees is to clearly teach them about the dangers of phishing and provide real-life examples of what these emails look like. The real-life examples are key because modern cybercriminals are much more sophisticated in their methods than they used to be; badly worded Nigerian Prince scams aren’t going to fool anybody these days.

Once employees know what to look for, and why, it’s a good idea to reinforce their training by sending out test phishing emails and seeing how various staffers respond. For the employees who consistently click, you’ll know you need to gently (but clearly) repeat the training, so they get the message. Eventually, through repeated training exercises, everyone at your company can become an anti-phishing star and you’ll know your organization will be that much safer from the many email cybersecurity threats out there.

 

If you’d like to set up a phishing training program at your workplace or learn more about Office 365 ATP, just get in touchWe’re happy to set you up with proven tools that defend against phishing, along with techniques that have helped companies of all sizes build up their email cybersecurity awareness skills.