Phishing Emails: Why They’re a Threat & How to Protect Your Business
It is a scary fact that one out of every three business employees will open a phishing email at work on any given day. Phishing emails are created explicitly by hackers to try and convince you to give up pertinent information about your business or inadvertently make your data vulnerable. Therefore, it is critical that you know all you can as a business owner about email phishing practices. Take a look at some of what you should know about phishing emails, what they look like, and the steps you can take to protect your business.
A Closer Look at Phishing Emails
Phishing emails are specifically designed to trick users into revealing sensitive information. The emails most often look like they are coming from a legitimate sender and contain links that an unwitting user may click on. When these links are clicked, the user is led to a spoof website that is set up to appear as an authentic site. Once on the site, the user is asked to enter credentials, this could be login information, banking details, or other sensitive information. When the user performs these actions, the data given is captured by the spoof website system, and then later, the credentials can be used by the criminals to access real accounts.
A Look at Why Phishing Emails Are a Common Threat
According to a study done in 2017, there are a whopping 269 billion emails sent every day around the world. When you put that into perspective as a business owner, you see that this adds up to a lot of potential opportunities for criminals to attack your business through your employees. The APWG (Anti-Phishing Working Group) says that it is estimated that $9 billion will be leeched from companies and organizations through phishing in 2018.
Hackers who send out phishing emails either have the goal of stealing information and using it themselves or stealing the information to make a profit in another way. Sensitive financial data is often bought and sold on the Dark Web for a hefty sum.
The latest wave of phishing scams has shown up on social media sites like Facebook, Twitter, and Instagram. Direct links to spoof websites are created and proposed in a way to look legitimate, so users click on these links and believe they are being routed to legitimate websites.
Problems with phishing have become so prevalent that reports are gathered consistently to warn the public. APWG’s Phishing Activity Trends Report For The 1st Quarter Of 2018 stated:
- 263,538 phishing emails were detected
- The number of phishing emails was up 46 percent from Q4 in 2017
- At least a third of modern phishing websites had HTTPS and SSL certificates
Phishers are primarily posing as payment services, but they have also been known to target webmail services, financial institutions, cloud and file hosting sites, and other industries.
Most Prevalent Phishing Email Subject Lines in 2018
Phishers use phrases and terms in subject lines of their emails that would demand attention from just about any email user. The most common phishing subject lines in the second quarter of 2018 can be narrowed down to ten phrases.
1. Password Check Required
2. Security Alert
3. Email Deactivation Warning
4. Urgent Information for Employees
5. Update to Company Policies
6. Revised Policy Information for Employees
7. Staff Review
8. Mail Label Delivery
9. Change Your Password
10. Delivery Attempt Made
Even though these were the ten most common subject lines used, not all of them were effective at garnering clicks. “Password Check Required” accounted for about 15 percent of clicks. “Security Alert” was also at the top of the list of subject lines clicked with that phrase accounting for 12 percent of clicks. There were relatively the same (between 7 and 11 percent) amount of clicks on most of the other email subject lines.
Avoiding Phishing Scams in the Workplace
- Train employees to understand HTTPS certifications do not always mean they are on a secure site
- Instruct employees to alert someone immediately if they believe they have received a phishing email or have been fooled by a phishing email attached to a spoof site
- Make sure all user passwords are complex and fully encrypted
- Avoid clicking links in emails unless absolutely necessary, and you are certain the email is legitimate
- Train employees on how to recognize a bogus phishing email
- Employ the two-factor verification capabilities every time it is possible on a site
When it comes to phishing emails and scams, a little education will go a long way to protect your business from an attack. If you feel your business is being targeted by phishing emails, make sure you alert everyone in the workplace of the situation and work with your IT service to add extra security.