Phishing: How Organizations Can Immediately Protect Their People From This Dangerous Threat (Free Kit Included)
Security is Everyone’s Responsibility
In recognition of October being National Cybersecurity Awareness Month, we think it’s important for everyone to realize how much their behavior impacts security for themselves and their organization. Proofpoint found in its 2019 Human Factor Report that a stunning 99% of the threats observed require human interaction to execute. With this year’s theme of “Own IT. Security IT. Protect IT.” we agree it’s more important than ever to encourage personal accountability and proactive security behavior. Below are ways in which organizations can ensure their people practice cyber-safety skills at home and work all year long.
Despite Communication Changes, Email Remains the #1 Threat Vector
Communication in 2019 is drastically different from just 10 years ago. Today people don’t just call, text or email each other. They use applications like Snapchat, WhatsApp, Slack and more to message others for work and personal communications.
Despite all this change, email has remained the number one threat vector – with phishing attacks still accounting for the vast majority of successful attacks. According to the 2018 Verizon Data Breach Investigations Report, 93% of all breaches stem from attacks targeting people, 96% of which are via email.
Spear Phishing on the Rise, and Users Aren’t Prepared
While phishing has remained a constant threat, the craft itself has become more sophisticated. Spear phishing attacks, which are more targeted to specific users and, therefore, more dangerous than bulk phishing attacks, are on the rise. Along those same lines, according to the FBI, losses associated with business email compromise have reached $26.5 billion over the last three years.
With the advent of LinkedIn and other social media sites, the amount of personal information available to cybercriminals to understand who you are and target attacks accordingly has risen dramatically. This makes it easy for threat actors to identify the exact people they want to attack based on their goals. For example, going after the finance teams because they control money, HR teams control sensitive data and legal teams control business data.
According to our 2019 State of the Phish report, the number of spear phishing attacks is increasing. In 2018, 41% of organizations reported at least six attacks per quarter, which was up from 33% in 2017. This has a worrying effect on reported incidents from phishing. According to a survey from the same report, incidents for both compromised accounts and loss of data rose in 2018 compared to 2017, with malware infections staying the same year-over-year.
One might think that younger users are more prepared to face these advanced threats as digital natives, but we find the opposite is the case. We asked working adults with access to a computer to define phishing. Below is the percentage of users in different age groups that defined phishing correctly:
- 47% of users aged 18-21
- 58% of users aged 22-37
- 68% of users aged 38-53
- 73% of users aged 54 and up
How Can Users Prepare for Today’s Threats?
Given all this information, how can users be resilient against today’s sophisticated spear phishing attacks? The realization someone might be vulnerable is a great first step. Most users believe they would never fall for a phishing scheme, but don’t realize how similar today’s attacks look to any other email they might expect in their normal course of business.
Simulated phishing attacks (conducted by IT security teams) are a great way to understand end-user risk and give users the “ah-ha” moment of realizing they are vulnerable to attack. In these situations, users are sent a simulated phishing email and if they click, they receive a message like the one above. These interactions serve as teachable moments rather than a punishment. Armed with the knowledge to question an email’s intention can protect people both at work and at home.
As we consume more content on more devices, it becomes increasingly important that users have an instinctive understanding what could be malicious and question the content they’re interacting with. Every day the average person encounters:
- 5,000 ads
- 300 emails
- 30+ text messages
- 6 phone calls
To process all of these messages, people need actionable ways to quickly process potentially malicious content as they go about their day.
To do this, just like any other skill, users need education on how to hone their phishing prevention – ideally something short and targeted to keep their attention and educate them on one specific topic. Skills like hovering over links, validating the message through another channel and understanding what kind of links are malicious are important fundamental baselines for users to protect themselves from phishing attacks – but this knowledge applies to other new communication channels as well.
If you’re holding users accountable, it’s important to give them tools to fight back against phishing and potentially save the company from a real attack. Organizations can do this by allowing users to practice their newly-learned skills and report suspicious emails with one click using an email add-in. After those emails are reported, they can be automatically classified and pulled from user’s inboxes if malicious. Finally, you can send a customized message back to users thanking them for reporting. This entire process makes users part of the solution and helps build an improved security awareness culture.
Give Your Users This Free Phishing Awareness Kit for October
While we offer a full security awareness training solution and encourage organizations to run a full program year-round, every organization has to start somewhere.
This year we’ve put together a free National Cybersecurity Awareness Month program to help organizations with their initiatives in October – focused on phishing. Here’s what’s included with this phishing awareness kit:
- Communications plan for administrators for delivering all the pieces below
- End-user facing poster, newsletter and phishing decision tree infographic
- 3 Tips to avoid phishing and business email compromise blog post
- Awareness video: 60 seconds to better security
- A PowerPoint recording and slide deck with script for a webinar
- Attack Spotlight awareness modules and PDFs. This free content is part of our ongoing series designed to make end users aware of the most dangerous and trending lures Proofpoint threat intelligence sees targeting our customers around the world.
These materials are a small but important piece of how people can be protected against the dangerous and evolving phishing threats. We hope you find value in them and look forward to working with organizations in October and beyond to protect people, data and brands from today’s advanced attacks.