How to Protect Businesses from Phishing, Spear-Phishing and Whaling

Although phishing attacks have been around nearly as long as email, it would seem that most businesses — large and small — are still vulnerable to these bogus emails, which can entice employees to divulge sensitive information and bring organizations to their knees.

In fact, according to a recent survey by Keeper Security, 79 percent of respondents who suffered ransomware attacks said that phishing emails were to blame for allowing the threat to enter their systems. Indeed, phishing scams have found ways to look more enticing than ever, impersonating companies such as Netflix or Citibank and targeting fans of popular events, like the World Cup.

Phishing scams are even spreading beyond typical corporate targets. Last year a phishing scam that sought to elicit private information and money via false W-2 forms was aimed at human resources departments of nonprofits, restaurants, hospitals and other nontraditional sectors.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,’’ IRS Commissioner John Koskinen said in a statement. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

Spear-Phishing and Whaling Make Scams More Targeted

Not only are these threats not going away, they are getting more sophisticated with the introduction of spear-phishing, which introduces social engineering to the mix to specifically target companies or even employees, making phishing attempts even more difficult to spot. In fact, according to CDW’s recently released Cybersecurity Insights report, spear-phishing has become “both real and pervasive in the last” two years.

In 2016, spam made up more than 50 percent of business emails to all businesses, despite size, according to a recent report from Symantec.

“We used to see emails with grammar errors all over the place. Now you open an email and it looks and sounds professional,” John Lex Robinson, cybersecurity strategist at anti-threat firm PhishMe, says in the CDW report. “Social engineering is now being run like a business. They’re targeting individuals. They have moved beyond emails to build entire fraudulent ecosystems online.”

A step up from spear-phishing is whaling, which targets specific, high-level employees in an organization, such as those in the C-suite.

3 Ways to Stay Ahead of Phishing Attacks

So how can businesses — particularly small businesses with slim IT teams and stretched resources — stay ahead of increasingly smarter phishing campaigns?

1. Adopt the Right Tools: The best defense is a good offense, so having an arsenal of technologies to prevent phishing emails from getting into a system are key. Strong encryption, modern anti-malware, data loss prevention tools and automated email client health checks are a good place to start when it comes to enhancing email security.

2. Stay on Top of Threats and Vulnerabilities: You can’t protect against the threats you don’t know are out there, so be sure to stay on top of the latest cybersecurity threats and trends. For small businesses without a dedicated IT team, advisors and third-party entities such as vendor partners can be an amazing resource to help fill in the gaps.

3. Educate Users: Employees who have been trained on how to spot and avoid suspicious emails are far less likely to fall victim to them. A single training is not a silver bullet, however. According to a 2017 report from Glasswall Solutions, 82 percent of employees will open email attachments if they appear to be from a known contact, which could happen even if they’ve been trained to recognize sophisticated attacks. This is why constant training and a strong companywide security culture are key to ensuring threats stay at bay.