Advancing technology is something to marvel upon. Whether it be new advances in virtual communication, or the ability to create one’s own business apps without any coding experience, technology will only continue to advance to our benefit. One would think that with all the new things that are being innovated constantly, new threats would take the forefront of digital hijinks. Although new threats are inevitably dangerous, the most consistent threat that impacts many businesses today remains the same as it has been over the past decade. Phishing is the broadest reaching and most impactful scheme to date. Unfortunately, it remains a tried-and-true method of stealing money, assets, as well as vital (and usually confidential) company data.
Who falls for it?
Breaking down some of the statistics that phishing presents is daunting as the numbers and percentages appear to be way too high. According to the FBI, in 2020 phishing was the most prevalent threat to US companies with 75% of businesses seeing some sort of phishing attack. Unfortunately, over 240,000 individuals fell victim to these attacks costing companies and individuals millions if not billions of dollars in the process.
Additionally, according to Terranova’s 2020 Gone Phishing Tournament which was co-sponsored by Microsoft, 20% of employees are likely to click on phishing email links, and of those that click, 67.5% of them are likely to enter their credentials on a phishing website. A quick calculation of these staggering numbers computes that 13.4% of employees are likely to submit their passwords on a fraudulent site. If you have over 10 employees, at least one is extremely susceptible or has already fallen for a phishing attempt.
Why is Phishing a ‘Big Deal’
There are 3 basic ways to think about the cost of phishing. Loss of capital, loss of data, and loss of trust. Capital is the easiest loss to understand. If a malicious actor receives access to a bank account, old checks, or any other financial information, and they can wire funds to a location offshore, the cost is exactly the amount they were able to take. This could range from a couple dollars to millions depending on the access they received.
Loss of data is a little less tangible, but potentially more dangerous. If a data breach occurs and a company loses all its data, it could be way more costly than losing capital. Depending on the compliance procedures of the company as well as the product they sell, company data could include customer information (like address, credit card numbers, and contact information), company financial information (like routing numbers, account numbers, banks, invoices, accounts receivable), and employee information (retirement accounts, payroll, insurance, etc.). IBM puts the average cost of a data breach at 3.86 million dollars.
Loss of trust can bankrupt a business without scammers taking a dime. If you give your personal information to a company expecting your privacy to be respected and then one day you are told that that business lost your private information, you will probably not want to do business with that company again. Loss of trust can be the most impactful cost of phishing as it is extremely difficult to recover trust once it is lost.
How does Finchloom deter Phishing?
Finchloom+ for Email Security (formerly “PhishPrevent”) is an all-in-one managed security solution for companies of any size. Whether you have 10 employees, or thousands, your business data will be secured from email phishing schemes at every level of your business. So how does it work? First, Finchloom will run a free breach assessment on your tenant to ensure that there have been no breaches prior to starting with the monthly Email Security service. If your business has had data breaches, and there are still malicious actors or software within your tenant, we remove them and make sure that you are secure before installing our turnkey solution.
Once Finchloom+ for Email Security is active within your company, users will receive warnings on suspicious emails, including emails from new senders, emails from copycat domains (like @flinchloom instead of @finchloom), and emails requesting immediate action just to name a few. Users also have the option to report any email that they are weary of with a button that is added directly to Outlook. When reporting an email, users select the reason they are reporting from a list. This list includes but is not limited to impersonation attempts, odd content, and pushing for sensitive information just to name a few.
Reported emails are reviewed by a real person on the Finchloom team, and once a determination has been made, one of two things happens. If the email is deemed safe, it is returned to your inbox. If deemed malicious, the email is permanently removed from your inbox as well as the inboxes of all other employees who received the email.
Employees additionally receive phishing simulations to test awareness. Those who fail the simulations (i.e. click the suspicious links, reply with personal information, etc.) are given on-the-spot training.
Finchloom+ for Email Security is a great monthly service on its own, but a non-so-unintended consequence of these semi-regular simulations is the growth of a company wide security culture. One of my favorite things about the monthly service aside from its ability to deter phishing is the inherent creation of threat awareness. Every time I see an email that looks even remotely suspicious, I immediately think ‘Is this a test?’ and further analyze the email. If I am unsure, I usually report the email and worst case, it returns to my inbox scot-free.
There is a sense of competition created when reporting emails, and we as a company get to see how many of us reported, how many did not, and sometimes we even know who was the first to report. We at Finchloom are all very aware of the threat of phishing, and last time a test was sent out, the first report was within a minute of the send. That means that if there was an actual phishing email sent to the company, it would have been noticed and removed from all user inboxes almost immediately.
Phishing is a threat that is, at least for now, here to stay. If your business is not already defending against this active threat, now is the best time to secure your tenant and your company data. To receive a free breach assessment and protect your valuable assets, fill out our contact form here or visit our phishing awareness page to learn what to look for in your company emails. Please consider subscribing to our blog series here, and I will be back next week with another article. Thanks for reading!