Sorry, you need to enable JavaScript to visit this website.

CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

Is Something Phishy Going On? How to Guard Against Business Email Attacks

Is Something Phishy Going On? How to Guard Against Business Email Attacks
August 16, 2018

Fraudulent email attacks have become a ubiquitous security threat to businesses all over the world. More than nine out of 10 cyber attacks begin with phishing.[1]

Legitimate-looking phishing emails are the most effective way to deliver ransomware and to trick employees into transferring money or providing login credentials. Four percent of employees will click on a phishing email, and it only takes one click to unleash damage to your business.[2]

Five common phishing schemes

Phishing attacks have become so successful that cyber criminals have adapted many different strategies to achieve their objectives. Here are the five most common types of phishing emails:

Deceptive phishing occurs when fraudsters send emails impersonating a legitimate company—often a financial institution or government entity—in an attempt to gain login credentials or personal information that will enable them to steal funds. These emails usually contain a malicious link that sends recipients to a fraudulent, but authentic-looking, website. After logging into their fake account, victims have unwittingly provided access to the thieves.

  • Vishing (voice phishing) occurs by phone.
  • Smishing (SMS phishing) occurs by text messages.

Spear phishing is a targeted phishing attack against a limited number of people in an effort to gain access to corporate network credentials or financial accounts. Attackers carefully research the target business, harvesting as much information as possible before sending out highly personalized emails. They know the name, role and title of each person targeted and tailor the emails to appear to come from within the organization (often the finance or HR department) or from a legitimate vendor or business partner. Spear-phishing campaigns increased by 55 percent in 2016.[3]

Whaling is a spear-phishing attack where criminals take considerable time and effort to study and target a “big fish”—the CEO or a high level finance executive. The goal is to obtain login credentials for the highest level, most secure access in the company.

Business Email Compromise (BEC) is one way whaling can lead to a gigantic payday. First, the attacker lurks in the system, monitoring the email activity of the CEO or CFO to learn internal procedures. Then, the attacker uses email that looks like it is legitimately from that executive to persuade lower level finance or accounting employees to initiate an “urgent” wire transfer. BEC losses were up 1,300 percent in 2016[4] and, according to the FBI, businesses around the world were exposed to BEC losses of $5.3 billion dollars from 2013 to 2016.[5]

Pharming is an attack that uses DNS cache poisoning to send users to a fake website regardless of whether they entered the correct website address in their web browser. This attack does not require victims to click on a malicious email link.[6]

Defend Your Organization from Phishy Situations 

  1. Think before you click. Look carefully at the sender’s name and email address. Scan for obvious misspellings or strange grammar. Inspect all URLs to see if they redirect. If in doubt, call the sender but don’t click the hyperlink.
  2. Only login to HTTPS websites. To avoid pharming from the DNS, check the URL of any website before logging in. If it isn’t HTTPS secure, do not enter your credentials.
  3. Train every computer user—even the CEO. When employees have the facts about how common phishing is and the damage it can cause, they will be motivated to watch more carefully for signs of trouble.
  4. Run phishing exercises. Test employees with phishing exercises (either internally or using a consultant). Studies show they’ll get better at spotting the fakes.
  5. Use two-factor authentication when possible. Two-factor authentication helps ensure that even if your password has been phished, criminals still can’t access your system.
  6. Make it easy to report suspicious emails. Employees should never hide a phishing attack. Provide a quick, easy process for getting this critical information to IT.
  7. Add another line of defense. CyberScout’s premier data defense services provide businesses with proactive education and breach remediation support. 

CyberScout®—We’ll take it from here.™

CyberScout is leading the charge against hackers and thieves, providing cyber security for more than 770,000 businesses. Contact your company’s bank, credit union or insurance company to find out if they offer data breach defense services.

[1] “2016 Enterprise Phishing Susceptibility and Resiliency Report,” Cofense.

[2] “2018 Data Breach Investigations Report,” Cofense.

[3] “2016 Enterprise Phishing Susceptibility and Resiliency Report,” Cofense.

[4] “ 2016 Enterprise Phishing Susceptibility and Resiliency Report,” Cofense.

[6] “6 Common Phishing Attacks and How to Protect Against Them,”, June 5, 2016.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started