Deep Dive: Fraudsters Go Phishing

phishing

Businesses have good reason to be concerned about data breaches. Fraudsters’ attempts to access systems and steal valuable information are becoming more innovative, and research suggests they are also increasingly successful. Cybercriminals’ accomplishments come at the expense of targeted businesses, with a recent study finding that individual data breaches cost firms around the globe an average of $3.92 million in 2019 — a 1.5 percent increase from 2018. The same report found that the total cost of a data breach had risen 12 percent since 2014.

Growing attack-related expenses force businesses to remain vigilant against emerging threats, including phishing and other types of fraud that their own employees may willingly or unwillingly perpetuate. Another recent study found that phishing accounts for 90 percent of all data breaches and that such schemes increased 65 percent over the past year.

Businesses need employees to build and promote their products, but they cannot afford to have those workers weaken their security, meaning fraud prevention must be among firms’ top priorities. The following Deep Dive delves into the steps companies can take to ensure their employees are knowledgeable about phishing and are at the front lines of anti-fraud efforts.

Fighting the Phishers

Phishing attempts threaten many firms’ security operations, often tricking employees into revealing email addresses, login credentials, passwords or other sensitive details. Workers could receive emails that appear legitimate but contain links that request such details, or fake vendors, impersonated trusted names or malware could manipulate users into giving away information, for example.

One notable phishing attack occurred in 2015, when healthcare giant Anthem suffered a breach that compromised more than 80 million patient records. The scheme originated from a number of phishing emails that targeted a handful of employees. Anthem paid out $16 million in a class action lawsuit, underlining how a relatively minor phishing attempt can have catastrophic consequences for businesses and their customers.

Companies can ensure protection by educating employees, running them through scenarios, adopting cybersecurity measures that filter out nefarious websites and implementing policies that require passwords to meet complexity standards and be frequently updated. Two-factor authentication (2FA) or encrypting sensitive data can also help.

Ensuring Secure Workplace Practices

Other fraud attempts targeting workplaces are no less dangerous. A changing workforce filled with more remote and non-traditional gig employees opens new doors for criminals looking to steal sensitive information. Workplace lapses can enable cybercrime and some workers might not realize how their everyday actions endanger their companies. A survey from document destruction company Shred-It found that 25 percent of employees leave their computers unlocked and unattended, which could grant fraudsters access when employees step away, for example. Those who write passwords or important notes on paper present similar opportunities, enabling bad actors to snap photos and log in to secure systems.

Remote work is becoming a point of concern as it gains ubiquity. Many employers believe off-site employees represent significant vulnerabilities, but they do not ensure these workers are taking protective steps. Most surveyed small and medium-sized businesses (SMBs) said they do not have related policies in place, despite the fact that fraudsters can use unsecured Wi-Fi connections at homes or coffee shops to target these employees, thus endangering company data and resources.

The gig economy represents more than one-third of the United States’ total economy, but freelance and contract workers may not have to follow the same obligations as full-time employees. Companies can address these security gaps by updating policies to require clean desks and other specific expectations for remote workers. Such rules may also compel in-house employees to lock sensitive details in desk drawers, shred paper documents and responsibly dispose of computer hardware. They should also know who to contact if a computer, laptop or phone is stolen.

Remote workers require their own protocols to ensure they do not fall victim to fraud. Data from gig worker marketplace Upwork found that while 63 percent of firms hire remote employees, 57 percent do not have remote work policies to ensure security. Companies should craft remote worker guidelines that clarify these rules and include secure resources, like video and phone conference lines, project management services and cloud-based document platforms, to ensure off-site and in-house employees use the same offerings. Every employee should also have access to a company contact in the event of a suspected breach.

Employees are the backbone of any company’s success, but businesses must ensure they are not used against them. Preparedness can go a long way toward enabling workers to remain vigilant on the front lines against phishers and other fraudsters, especially as traditional work shifts away from offices.