The Anti-Phishing Working Group reports that phishing attacks continue to increase every quarter, showing up most frequently in the payment, financial, and webmail sectors. Attackers are also increasingly targeting Software-as-a-Service (SaaS) applications and webmail providers. As a result, anti-phishing solution providers have reported activation rate increases over the past year that range from double-digit to quadruple-digit growth.
One highly effective airline phishing attack has had a more than 90-percent success rate in getting potential victims to open the e-mail. Even the best legitimate marketing campaigns rarely achieve open rates that equal a third of that — which points to just how crafty phishing scams have become.
The average employee receives upwards of 120 e-mails each day, and this proliferation of messages is one reason that phishing attacks have grown in frequency, sophistication, and effectiveness. MSPs have struggled to help their clients protect themselves against these wildly successful social engineering attacks. Simply providing educational information isn’t enough anymore.
Phishing e-mails trick people into providing passwords, banking account information, social security numbers, and other information by impersonating legitimate senders (e.g., banks, e-commerce sites, customers) and getting users to click through to imposter websites.
Most companies are already familiar with phishing but haven’t done much to beef up their security protocols other than cautioning employees about opening e-mails and attachments from unknown senders. But, the people sending these e-mails have gotten savvier, so most companies and their employees will need more detailed guidance about how to identify a potential phishing e-mail and what to do when they see one.
What can you do to better protect your customers?
Provide continuous education. Share real-life examples of phishing attacks, including information about what exactly constitutes an attack and the potential cost to employees and companies.
Offer regular guidance on how to identify phishing attacks, and provide resources your clients can easily share with their employees. Phishing e-mails share a few common attributes: They ask for personal information (like a password); they often include minor grammatical errors; and both the hyperlinks included and the sender’s e-mail usually don’t match their actual destination/origination points.
When there are high-profile phishing attacks in the news, use that as an opportunity to reinforce that education.
Implement ongoing training. Annual or biannual training on recognizing phishing attacks can help keep the topic (and the tell-tale signs of a phishing attack) fresh in employees’ minds. Help your clients create a regular training program and establish a schedule, along with providing periodic reminders or security newsletters for employees.
Use simulation to reinforce training. The use of simulated phishing to test the defenses of a company and help employees improve their ability to avoid these scams is becoming more common. Make simulation or computer-based training part of your own value-added services offering.
There are tools built for this, including Barracuda PhishLine, which turns employees into a line of defense through continuous training and attack simulation. In some cases, the training resources that are available have been “gamified” to encourage better user participation. For example, Carnegie Mellon offers a game called “Anti-Phishing Phil” that can be licensed and customized with an organization’s URLs and branding information.
Involve corporate leadership. Make sure top-level executives are included in this training and simulation activity. There are specific phishing scams (called “whale phishing”) tailored specifically for these wealthy individuals, and the C-suite is not immune to falling for them.
Establish processes both internally and for your customers to report phishing pages. Google has a site specifically for this type of reporting, as do other organizations like PhishTank. The Federal Trade Commission also accepts these reports.
Help customers create a robust patching regime. Even with all of the education and training in the world, employees will still occasionally fall for phishing scams. Having a regular, automated security update and patching regime in place will help mitigate the effectiveness of these breaches. System and software updates remain the best defense against these attacks.
It’s important for MSPs to stay up to date on the latest phishing scams to help their clients remain secure. It’s also important for MSPs’ internal security, as they are increasingly becoming targets of these attacks. The Anti-Phishing Working Group (APWG) provides a variety of resources for companies to help identify and avoid falling prey to phishing scams. Share the information with your clients and encourage them regularly to revisit their own security processes in light of new threats. Doing so can help them protect both their corporate data and employees’ personal information. You can also take the “Ultimate Phishing Quiz” to learn if you have what it takes to help your customers avoid a phishing scam.