The million dollar question is: Could you catch email phishing attacks before they catch you? Yes, it's true. A successful phishing attack costs a mid-size company an average of 1.6 million dollars. Having the ability to recognize the signs of a phishing attack before you give out sensitive information or click on an unknown link is a vital step to securing your company.
Attacks and breaches are taking place every single day and no company is safe from an attack. For example, many of you may have heard about the recent Google breach. Therefore, every company and every employee needs to take extensive measures to secure their organization. According to the SANS Institute, 95% of enterprise network attacks involve spear phishing. In addition, according to the 2018 Verizon Report, 30% of phishing messages get opened by targeted users. The solution is simple. Train your employees to spot phishing emails. Test their knowledge about phishing attacks before a real attack is delivered.
Hear it From the Experts
TechGuard delivered a spear phishing campaign as part of a penetration test for a university. Spear phishing is a more targeted type of phishing using knowledge gained about the victims before the attack. TechGuard decided to use the "failed package delivery notification" template. Furthermore, we included a link to "click here" to arrange delivery. In addition, a fake page was set up capturing the user's log in information, which mimicked the university's logos. TechGuard used substantial reconnaissance to select the target employees with the hopes that they would have escalated privileges. As a result, we chose 14 users to target in an attempt to steal credentials and infiltrate the system.
Results of our Phishing
Within 5 minutes of sending the spear phishing email, 2 employees clicked the link and provided login credentials to our fake page. Within 20 minutes we had access to all their student records. Ultimately the phishing was reported and a notification was sent informing employees not to click the email link. However, at this point, we already owned the user's machines. Also, we could have simply deleted the phishing notification and started sending phishing emails as that user.
If the employees had been trained to know the signs of phishing emails, they would have noticed that the link looked similar to the college name but it was not a complete match. Also, they would have known to verify with shipping and receiving that there was actually a package before clicking the link. It only takes one user to compromise a system and the results can be catastrophic. Therefore, always question unexpected emails and unknown links. Verify the authenticity of the email.
Are you curious if your staff members would be able to detect a phishing email or would they fall victim to a phishing email? How many of your employees would fill out a form giving away their credentials? Often organizations go on thinking it will never happen to them, but if it did, could your company afford a loss of 1.6 million? Consider how often there's a new story about a cyberattack or a breach. Your employees can be either your greatest strength or your greatest vulnerability.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.