Phishing and Security Awareness Is More Critical Than Ever

Posted by Dennis Dillman, Chief Operating Officer of PhishLine on Fri Apr 15 ’16

 

According to a recent FBI report, U.S. based businesses lost $2.3 Billion in the past 27 months from one type of phishing attack alone. The attack type in question is called a “Business Email Compromise” or “BEC” attack. In this type of attack there is an extensive effort made to assume the identity of an officer of the business, of internal or external legal counsel, or of a major vendor. The attacker then targets individuals responsible for managing money or authorizing payments. In Arizona, the home of the FBI office that authored the report, the average amount of the loss reported in this type of scam is between $25,000 and $75,000.

Since January 2015, this attack type has increased in frequency and/or impact by 270 percent. Businesses in every U.S. state and 79 countries have reported this type of attack.

Consider adding the following to your procedures for dealing with or preparing for phishing incidents (some of these are from the linked FBI report):

  • Make sure you are using a security awareness tool that has the following features:
    • The ability to simulate BEC attacks
    • The ability to provide training on BEC attacks to your employees
    • The ability to target training to high risk departments like Accounts Payable
  • If you suspect your organization is the victim of a BEC attack:
    • Contact your financial institution immediately
    • Request that your financial institution contact the financial institution that received the fraudulent transfer
    • Without regard to the dollar amount involved, file a complaint with the FBI’s Internet Crime Complaint Center, also called IC3
  • Be wary of email-only wire transfer requests and requests involving urgency. Urgency is one of the most significant indicators of a phishing scam.
  • Pick up the phone and verify that the email sender is a legitimate business partner. Consider looking up the vendor’s phone number from their website instead of calling the number listed in the email.
  • Be cautious of mimicked email addresses. Don’t hesitate to engage your technology or security teams to validate whether an email is legitimate.
    • TIP: Copy and paste an email address into MS Word or other tool and change the font. For example, if we focus on the letter “L” in “phishline.com” we see the following:
      • dennis.dillman@phishline.com looks exactly like dennis.dillman@phishIine.comin the Calibri font, despite the fact that in the latter the “L” is really an upper case “i”.
      • However, in Times New Roman dennis.dillman@phishline.com looks noticeably different than dennis.dillman@phishIine.com.
    • Seek additional sources to verify the authenticity of someone requesting a payment.

To learn more about security awareness, download our free eBook, Advanced Persistent Testing: How to Fight Bad Phishing with Good.

Related posts