Understanding the threat of phishing e-mails and how to spot them is one of the key ways that you can protect your organisation and its employees. The number of phishing attacks being carried out is higher than ever and the form these phishing e-mails take is always evolving.
As a result of the ongoing pandemic Covid-19 related phishing e-mails are becoming one of the most common ways that scammers attempt to exploit users. Earlier this month Google revealed that over the course of just one week they saw eighteen-million malware and phishing e-mails related to Covid-19. In fact the frequency of these phishing attempts has become so great that the World Health Organisation has put out a warning about phishing e-mails claiming to be from the WHO.
Phishing e-mails rely on creating a sense of urgency in a user, so it should come as no surprise that with people clamouring for Covid-19 information more and more companies are reporting that they are under attack from Covid-19 threats. Phishing e-mails that apply to a broad number of people and can cause the recipient to panic instead of taking the time to analyse the e-mail are often the most successful. With Covid-19 affecting practically everybody and being a serious issue; phishing e-mails that mention the pandemic cover both these criteria.
According to an IBM security report the average cost of a security breach in 2019 was USD 3.92 million. This rises to USD 6.45 million for organisations within the healthcare industry. Especially in the current climate where many organisations are struggling this cost may be enough to ruin an otherwise healthy business.
What can organisations do?
As phishing e-mails evolve and become more complex, they can become harder to detect and block. The best way to mitigate this is to ensure that all users are aware of how to spot phishing e-mails and how to respond to them. As phishing e-mails rely on social engineering there is no piece of software that can block them with one-hundred percent reliability. Because of this, users who are equipped to deal with phishing e-mails are incredibly valuable to an organisation. A single user reporting a phishing e-mail can prevent hundreds of other users becoming victims of the campaign. Over time it is likely that the costs invested in training users and raising your organisations ability to tackle phishing e-mails will be far lower than the costs that could be incurred from a successful phishing attack.
One of the most effective ways to train users is through simulated phishing campaigns. A simulated phishing campaign, when carried out effectively, allows users to learn how to spot a phishing e-mail and highlights at risk users. During a phishing campaign, users are sent a phishing e-mail that can track which users clicked on the link inside it and which users submitted data. This phishing e-mail can be tailored to your organisations needs, such as including information relevant to your company or replicating a certain type of phishing e-mail. Paired with good post-campaign training a simulated phishing campaign allows an organisation to find out how vulnerable they are to phishing and take steps to reduce the risk.
Exposure to phishing in a safe environment allows your users to exercise your instilled practices and procedures, allows you to understand your weaknesses and ultimately test your weaknesses.