This post was originally posted on Corporate Compliance Insights.

 

5 Tactics to Prevent Phishing Exposure

Cyber criminals have used phishing emails to launch the vast majority of cyberattacks. Amid a wave of new data management regulations, the major data breaches of late reveal a critical risk vector that cyber criminals are exploiting: the human.

Major data breaches, such as the notable cyberattack on Target, start with a phishing attack. In these instances, bad actors will send fraudulent emails claiming to be from reputable companies or commercial partners to trick individuals into revealing personal information such as passwords and credit card numbers.

Detection of phishing attempts should be a priority for all organizations, regardless of size, location or industry. After all, there is a consistent critical gap that cyber criminals are still heavily exploiting, which is the human. According to Tripwire, 76 percent of organizations are still the target of phishing attacks. Perhaps even more alarming is that only 65 percent of organizations knew what a phishing attack was, while Digital Guardian maintains that 91 percent of cyberattacks start with a phishing email.

To help businesses mitigate cyber risk and stay compliant with the latest cybersecurity and data management regulations, here are five best practices to follow when monitoring for phishing attempts.

1. Recognize that your business is a target.

It does not matter whether you are a small business, a large hedge fund or a private equity firm, attackers see your organization as a target with greater return potential than most individuals. Successful phishing attacks are usually the result of temporary lapses in situational awareness that neglect this trend.

2. Pay careful attention to email origin.

Attackers create fake email accounts to send messages under the guise of someone you or your firm knows and trusts. Glancing at the sender name does not work in 2018. You must look at the email address in its entirety. For example, Owen.Smith@company.com looks familiar to 0wen.Smith@company.com. The difference in this email address is one character, changed from a letter to a number. That single character could spell the difference between sending several million dollars’ worth of sensitive information to a trusted commercial partner and a malicious cyber attacker.

3. Always be attentive to attachments.

Criminals relay malware via attachments, which are usually labeled with benign names. Attackers will select names intended to entice victims, so be extra cautious before clicking on an Excel spreadsheet labeled “employee salaries” or a PDF document named “Invoice.” For those who are accustomed to receiving billing statements, invoices or other common payment documents on a regular basis, consider adopting a malicious email detonation chamber. These isolated environments or virtualized sandboxes allow organizations to open email attachments, execute suspicious applications and execute Universal Resource Locator (URL) requests safely, without jeopardizing the wider organization.

4. Don’t let urgency undercut scrutiny.

Did someone send you an email with a subject line titled “Your company made the list for top private equity firm, please confirm ASAP” with a link or attachment? Is someone requesting that you wire funds to a partner account immediately? Attackers will use time sensitivity against their targets to create the perception that an opportunity is disappearing when they are really closing the window in which a target can conduct its due diligence. Slowing down one’s actions may just save them a headache, so be proactively suspicious of any email requesting or demanding immediate action. If the sender does not usually ask for or request such actions, take the extra step of validating their request.

5. Go by the grammar.

One of the more commonly overlooked signals of email phishing attacks is grammar. By no means does this signify that every phishing email contains poor grammar, but it is certainly one sign to take into consideration. Check for incorrect spelling and punctuation when trying to detect threats, especially around terms and names that should be familiar to the enterprise and its commercial partners.