The dangers of being phished are now widely known, but the extent of the damage is often misunderstood. Successful phishing involves the scammer gaining unauthorized access to an organization’s private information, which they then use for personal gain. Some of the most common pieces of information that phishers steal is bank account details. Once obtained, phishers may be able to use this information to withdraw money from the account or to make an online transaction using the victim’s money.
The global financial impact of phishing is hard to estimate. Large businesses are most susceptible to losing large sums of money; one report by the Ponemon Institute estimates that in the first quarter of 2016 successful phishing attacks collected up to $3.7 million per attack on a large organization. Smaller organizations also fall victim to attacks regularly, as they may not have the resources to build sophisticated security networks or awareness schemes to prevent their staff from falling for the scams.
Phishers often scam large companies by impersonating company managers and sending emails to lower-ranked staff. They order their staff to transfer funds to accounts that are actually controlled by the phishers. This type of phishing, often called “whaling,” can cause the business to lose huge sums of money––sometimes even millions of dollars. The Austrian aircraft manufacturer FACC is a prime example of this: they were phished out of $54 million in January 2016. Their CEO was fired later that year due to the incident and the repercussions on the company’s image.
Many organizations are now taking extensive measures to avoid being phished. They may employ email filters or software that prevents some attachments from being opened, but these are only so effective. If a phisher is aware of these measures, they may design the email such that it can pass through these regular protective programs. Training employees to recognize phishing schemes, or encouraging them to question when suspicious transactions are made, is another route that companies may take to protect their financial interests
In addition to the financial loss incurred through phishing, companies may also suffer from reputation damage. If a company has fallen victim to a scam, they may be seen as incompetent and untrustworthy. If a company is a third-party supplier, a breach incident may lead to their clients immediately terminating their contracts. Building up a brand reputation takes time and dedication, all of which may be wiped out nearly instantaneously if a phisher attacks.
The damage to a company’s reputation not only comes from being phished themselves but also by being spoofed. If a hacker has obtained the organization’s client list and sent them spoof emails, the organization’s reputation takes a hit. It is vital that the customer’s private information is protected, and companies may hire specialized cybersecurity companies to help prevent their clients from being the victims of phishing.
Ransomware and Phishing
Ransomware is a type of malicious software that blocks the victim from accessing their computer, or certain files on their computer, until a ransom is paid to the hacker. The malware may be delivered to a computer through a phishing attack. The victim may receive an email from a trusted contact or organization, in which the phisher has included an attachment. The attachment harbors the software; when it is opened, the computer becomes infected and the victim is denied access.
Ransomware has become a larger threat in recent years. According to Verizon, the communications company, it was the most-used type of malicious software in 2018, accounting for 39% of malware phishing attacks. This is double the proportion of malware attacks made with ransomware in 2017.
Ransomware attacks may be on the rise because of the availability of the software online. Hackers don’t need to come up with the software themselves; ransomware can simply be purchased on the dark web. It requires very little effort on the part of the phisher, but with a large payback for their small effort. The victims are comparatively helpless and can do little else but pay the ransom.
Phishers are no longer just targeting individuals with their attacks. Large organizations, with larger wallets, are witnessing a greater number of attacks on their systems. The attacker sometimes simply closes down access to their systems in demand for the ransom. Other attackers will hold certain information ransom, such as the private medical information of patients if they attack a healthcare provider. Since the organization could face huge legal issues if their patient’s data is released, they are forced to pay the fines.
Due to the relative ease of these attacks, it is likely that they will only become more common in years to come.
It is difficult to protect against these types of attacks. The most straightforward way is to teach employees about the dangers of phishing. If the employees know how to spot suspicious emails, they won’t be inclined to open the attachments and then inadvertently introduce the malware into the system. Preventing the system from being compromised, instead of dealing with the after-effects of the attack, is the easiest way to ensure a company’s security isn’t compromised.
Employees should be taught to never open emails from unfamiliar senders. Or, if they do open emails, never follow links embedded in the email or open attached PDF files or images. If they do accidentally click a link in an email or open an attachment, they should be encouraged to contact the IT department as quickly as possible and disconnect their device from the network to try to mitigate the damage. The IT department can assess if the hacker has acquired unauthorized access to the system. They can also tell the rest of the organization of the potential breach so that others can be vigilant for similar scams. Regular phishing training workshops are recommended, as are emails informing employees about the latest scams circulating the internet.
About the Author:
Liam Johnson is a cyber-security specialist with several years of experience writing cybersecurity content on various websites. Liam worked on several cybersecurity advice websites for a number of years before joining NetSec.news. He also worked his way through college as a freelance cybersecurity writer. He is responsible for in-depth research and producing detailed advice on cybersecurity topics for Netsec.news.