Phishing is just one of many tools in a hacker’s repertoire and happens to be one of their most effective. Through phishing, hackers dangle their bait in front of preoccupied employees who would never dream that their PC could provide an open door for a hacker. That’s why it is so important that employees understand how phishing works, how costly it can be, and what they can do to avoid letting themselves become an unwitting accomplice to a hacker’s attack on their company.
The Nature of Phishing
Phishing involves a malicious entity that sends out emails that look like they are from reputable, well-known companies (maybe even the employee’s own employer) – but these emails are not what they seem.
Sometimes the purpose of a phishing email is to trick the recipient into revealing information such as logins, passwords, or personal information. Other times, phishing emails are used to install malware on the recipient’s computer. Once the hacker behind the phishing attack has succeeded in infiltrating the target system via login information or malware, the damage they cause quickly escalates.
Phishing Can Be Very Costly
So how expensive can phishing be? Well, consider what happened to a bank in Virginia that fell victim to two phishing attacks in just eight months. Their disaster began when an employee received and opened a phishing email which succeeded in installing malware on company computers. The malware was able to use the victim’s computer to access the STAR Network, a site used to handle debit card transactions. Through the STAR Network, the hackers behind the malware were able to steal $569,000 in that one incident alone.
But that wasn’t the end of the matter. Eight months later, even after hiring a cybersecurity forensics firm and following their advice to better secure their system, the same bank was victimized again through another phishing email. This time, the hackers again gained access to the STAR Network, but then used the bank’s Navigator system. Through those systems combined, the hackers were able to credit money to various bank accounts and then withdraw the money using hundreds of different ATMs. Losses from this incident amounted to almost $2 million.
To make matters even worse, the bank’s cyber insurance provider denied coverage and the bank is now forced to pursue a lawsuit to recover their losses.
The Very Real Dangers Of Phishing Attacks
Phishing wouldn’t be so effective if it wasn’t so easy for busy employees to fall victim to seemingly legitimate emails or innocent-looking attachments. The malware that was used to initiate the first attack on the bank discussed in this article was embedded in a Microsoft Word document. Most of us have worked with thousands of Word documents during our careers and have never been victimized by one – but it only takes one time to cost a business millions of dollars.
In this case, once that document was opened, the malware was installed and the group behind it had access to what they needed. The bank in question hired Verizon to investigate both incidents. It was finally determined that the same group of Russian hackers were likely responsible for both attacks.
Common Sense Required
Even the most powerful of cyber security systems is still susceptible to attacks that take the form of phishing or social engineering. As long as people continue to subscribe to the view that firewalls, anti-virus, and anti-malware systems provide all the protection against cyberattacks that a company needs, then successful phishing attacks will continue. Education is one of the forgotten keys to foiling phishing attacks.
Employees need to be taught how to recognise a suspicious email and be given real-world examples of how convincing phishing emails can appear. They need to be encouraged to view both emails and attachments with a critical eye. Employees must also understand that, under no circumstances, is there a legitimate reason for someone to ask for their password.
Another aspect of this type of education is making sure that people realise that the targets of phishing are not C-suite executives or IT technicians, but employees from all levels. Through a connection to the company’s network, any employee’s computer could serve as a launching pad for an industrious hacker’s plan of attack.
Conclusion
Phishing attacks are a reality that must be addressed if a company wants to avoid becoming a victim. These attacks often result in very expensive losses that may not be covered by insurance. While the importance of a rigorous cyber security system is never to be overestimated, neither is the importance of employee education. Too many employees have unwittingly become accomplices in costly cyberattacks because they didn’t recognise a phishing email and never thought they could be the target of one. The first line of defense against phishing isn’t a network firewall, but a trained employee who knows how to recognise a suspicious email or a questionable attachment.