Movies and TV shows make it seem that all cyber attacks involve a hoodie-wearing computer wiz entering complicated commands at a lightning-fast speed to infiltrate heavily defended networks of high-profile organizations. The reality, as is often the case, is far less glamorous but just as alarming.
It turns out that the most common attack vector in use today is email phishing, a social engineering technique so simple that it requires only basic technical skills to execute. But despite its simplicity, phishing is responsible for 70 to 90 percent of data breaches, and the ongoing COVID-19 pandemic has only made everyone more vulnerable to it.
To avoid email phishing, organizations need to understand how phishing attacks happen and familiarize themselves with the most effective protection strategies in 2021.
What Are Email Phishing Attacks?
The Merriam-Webster dictionary defines phishing as “a scam by which an internet user is duped (as by a deceptive email message) into revealing personal or confidential information which the scammer can use illicitly.”
Email phishing attacks are by far the most common type of phishing because they can be easily executed at a massive scale and yield surprisingly good results. Such attacks typically follow the same basic blueprint:
- The phisher selects suitable targets, such as small organizations using Microsoft products, and crafts a series of convincing phishing emails.
- Then, the phisher sends out the emails to individual employees, circumventing spam detection systems by faking the sender’s email address or using stolen login credentials to gain access to a trusted email address.
- Finally, the recipients click a link or download an attachment contained within the phishing emails, allowing dangerous malware to enter their computers and spread to other devices on the same network.
Once the network has been successfully infiltrated, there’s nothing stopping the attacker from running away with a sizeable digital bounty in the form of stolen personal data or sensitive business information.
Who Is the Target of Email Phishing Attacks?
Virtually anyone will, at some point, become the target of email phishing. However, some email users are seen as more lucrative targets than others.Phishers like to target employees of any level because they possess login credentials that can be used to unlock the doors to internal systems and information that can be used to make phishing attacks more convincing.
CEOs should be especially cautious when opening emails because a survey commissioned by Cloudmark revealed that they have actually been one of the most targeted groups for years, followed by CFOs and other C-suite executives.
Last year, for example, Group-IB described an Office 365 phishing attack that targeted high-ranking executives at more than 150 businesses, half of which were identified as financial services firms in global and regional financial hubs such as the U.S., Germany, Hong Kong, and Singapore.
The still ongoing coronavirus pandemic, and the social distancing measures indented to slow down its spread, have made employees across most industries more vulnerable to email phishing attacks by forcing them to work remotely, often using their own personal devices in a distracting environment.
As such, it has become more important than ever for organizations to learn how to avoid email phishing. The penalty for not doing so can be a costly data breach and irreparable damage to the organization’s reputation.
How to Avoid Email Phishing Attacks?
If email phishing attacks were easy to avoid, they wouldn’t be the single biggest cause of data breaches. To successfully defend themselves against them, organizations need to implement a multi-pronged cybersecurity strategy that includes the following elements:
- Good password policies: The goal of many email phishing attacks is to obtain employee login names and passwords to steal sensitive information. Unfortunately, employees often make everything easier for phishers by reusing the same weak passwords over and over again. That’s why having good password policies and mandating two-factor authentication (2FA) can go a long way in avoiding email phishing attacks.
- User awareness training: Cybersecurity experts like to say that users are the weakest link in the cybersecurity chain, and they’re absolutely right. Most email phishing attacks would never result in a data breach if all employees were able to recognize them. Ongoing user awareness training can turn employees from the weakest link into the first line of defense, making it well worth the time and effort.
- Network protection solution: Modern network protection solutions provide a valuable layer of email security capable of distinguishing legitimate messages from fake ones. For example, organizations can defend themselves against Office 365 phishing emails using Barracuda Sentinel for Office 365, a subscription-based protection solution for Office 365 that takes advantage of industry-leading AI and automation to support organizations throughout the lifecycle of an attack.
With these cybersecurity measures in place, phishers are guaranteed to have a much harder time tricking employees into disclosing sensitive information or downloading dangerous malware. If you would like help with email security implementation, you can contact us at BCA and let us strengthen your cybersecurity defenses while you continue focusing on your core business.