Deep Dive: How Organizations Can Fight Back Against the Ravages of Phishing

Data breaches are a major concern for any organization that deals with a wide range of customers, as these incidents spill both corporate and consumer information into cyberspace.

Customers trust businesses with a vast quantity of information, ranging from relatively innocuous data like names and email addresses to vital security information, including passwords, Social Security numbers and payment details. Having this information leaked can costs businesses and their customers big money, with the average breach in 2021 costing $4.2 million.

Fraudsters leverage a variety of schemes to perpetrate data breaches, but none is as popular as phishing, in which bad actors trick individuals into sharing their usernames, passwords or login information. Almost one in five companies suffered data breaches last year due to phishing attacks.

To stop data breaches, phishing also must be stopped, either through the use of advanced software or via employee training and education. The following Deep Dive explores how phishing attacks succeed, the damage they cause and the steps companies can take to reduce their risk of falling victim to such strikes.

Phishing Scams and Effects

Fraudsters deploy many different phishing tactics to steal employees’ credentials and personal data, but the most well-known technique is fake emails. For example, an employee could receive an email that appears legitimate but links to a request for email addresses, login credentials, passwords or other sensitive information. Employees might believe these messages were sent from their own IT teams or vendors, but the data they enter instead ends up in bad actors’ hands. Seventy-five percent of all businesses faced such schemes within the past year, a study found, and 57% of these attacks were successful.

Successful attacks can cause a catastrophic amount of damage. One particularly devastating incident occurred in 2015, when healthcare giant Anthem suffered a breach that compromised more than 80 million patient records. The attack originated from several phishing emails that targeted a handful of employees, resulting in Anthem paying out $16 million in a class action lawsuit.

Sony Entertainment, meanwhile, fell victim to a phishing scheme in which a North Korean government-backed hacker leaked thousands of executives’ emails, costing the company upward of $100 million. This type of fraud also was a factor in U.S. presidential candidate Hillary Clinton’s 2016 campaign, when a phisher leaked campaign chairman John Podesta’s personal records.

Businesses of all types are prioritizing preventing the loss of funds and data as well as preserving their reputations, and this begins with eliminating phishing as a potential threat. Putting an end to phishing is a tall order, but organizations can start with employee education and fraud control software.

Fighting the Phishing Fiasco

One of the best ways companies can protect themselves is to ensure workers are aware of security best practices, including identifying suspicious emails, enabling multifactor authentication (MFA) and keeping their usernames, passwords and other information to themselves. Traditional signs of fraud, such as misspelled words, poor grammar or unusual word choices, have become less effective as fraudsters grow smarter, meaning employees must be more focused on the actual content of phishing emails rather than just how they are written.

“A few years ago, the attackers would commonly have spelling mistakes, and we would educate people about that,” DocuSign’s chief security officer Emily Heath told PYMNTS in an interview. “But now they’re getting a lot slyer, and it’s almost as if they’ve integrated design into it themselves because a lot of these emails are just so well written. So, the education has to go a step further as to inspire curiosity.”

Instead, employees should look at the sender’s email addresses to see that it makes sense, and consider whether they were expecting an email from the sender or whether it arrived out of the blue. Businesses can augment this training with regular drills that deploy fake phishing emails to see if their employees open them and, if so, devote additional resources to more education.

Anti-phishing training also can be augmented with protection software that analyzes users’ web activity and blocks them from potentially suspicious websites. One such example are anti-phishing toolbars, which are browser extensions that can identify databases of known fraudulent websites and block employee access. However, these programs should not be the final step in phishing prevention, as fraudsters are constantly refining their techniques to prevent anti-phishing software from catching up to them.

Failing to keep phishing schemes in check can prove ruinous for companies. A multilayered approach that combines education and software is likely the best way to prevent these attempts on employees, and to ultimately keep private data safe.