Enterprise phishing scams on the rise: Don’t overlook user error


The year 2020 seems like the year that never ends. The COVID-19 pandemic threw the world into a state of flux at the end of winter and start of spring.

Businesses have tried desperately to provide consistent service to their customers. Many have had their employees working from home.

While this has made it possible for businesses to continue their operations relatively safely, it has also opened them up for cybersecurity attacks. In fact, according to data that was recently published, the number of phishing attacks has increased drastically over the last few months. On average, companies are experiencing over 1,180 attacks each month.

Understandably, organizations have taken steps to mitigate the effect that these phishing attacks have had. Some organizations have installed VPNs, and others have implemented protocols to protect themselves. The results they have obtained have been mixed.

Successful Attacks Lead to Increased Costs

The pandemic brought in a whole new wave of cyberattacks. Many companies weren’t exactly prepared for the remote working situation and all of the risks of having their employees working from home. It forced most of them to change the way they operate in order to get through the pandemic with most of their workforce working from home.

Many countries recorded rapid growth of COVID-19 related phishing scams since the pandemic started, and Australia is one of them. According to Australian Competition and Consumer Commision report, cybercriminals are using the pandemic situation to take advantage of people across Australia, and phishing scams are currently one of the most common types of scams Australians are facing daily.

Remote workers became easy targets because they mostly weren’t properly educated on how to protect their devices and valuable data while working from home. While they were able to adapt easily to a new way of doing things, some of them weren’t able to avoid putting their companies at risk of cyberattacks by not following basic cybersecurity protocols. As recommended by the Australian Cyber Security Centre, these include (but are not limited to) reputable antivirus software, AES256-encrypted VPN services that work well in Australia as well as abroad, not using personal devices for work related stuff, and so on.

Even before the pandemic some surveys showed that most employees around the world feel confident that they can successfully identify a phishing attack. However, even if employees can identify phishing attacks, it is easy for them to get overwhelmed by the different attacks they are subjected to and make a mistake. All it takes is one mistake for an organization’s vulnerable information to be compromised.

Over the past five years, the FBI estimates that more than $12 billion has been stolen because of phishing attacks. Besides the money that is stolen, there is the money that organizations need to spend trying to repair the damage to their reputation. Organizations then need to revamp their cybersecurity apparatus to protect themselves from falling victim again. This leads to another expense.

Time and money are needed to contact individuals whose personal information has been compromised. There may be class action lawsuits and fines to government regulatory organizations that will also need to be paid. In 2018, the average cost for a business to recover from a breach was $3.9 million. Interestingly, cyber criminals are targeting small to medium-sized businesses.

The cost for the business to recover from the breach may not be as expensive. However, since small to medium-sized businesses have razor-thin margins, the impact on the business is greater. Many small to medium-sized businesses that have been victims of cyber-attacks had to shut their doors forever.

Preparing Employees to Defend against Cyber Attacks

If employees fall victim to a phishing scam, the effects are felt personally. Most employees, especially if they work in some text field, feel that they can avoid phishing emails. However, the statistics show otherwise.

When an employee is a victim of a phishing scam, they feel embarrassed. They have anxiety and fear losing their employment. A victim of a phishing scam will lose confidence in their own abilities. Therefore, it is vital that organizations are constantly training their employees. Employees should be given the information and the tools that they need to make real-time decisions about the emails they receive to avoid becoming a victim of a scam.

How Much Training Do Employees Need?

This becomes the million-dollar question. An organization does not want to train on cybersecurity so much that the employees start to tune out the information. They want to provide sufficient training so that employees are constantly aware of the threat of a phishing attack and are up-to-date with the latest tactics cyber criminals are using.

According to the BrainStation’s 2020 report, 42 percent of organizations have implemented digital skills training initiatives. Cybersecurity is a kind of a never-ending topic because it constantly evolves and changes its ways since hackers are continuously getting more and more creative with the attacks.

Previously, only employees who worked in sensitive areas or who had access to sensitive parts of the network needed to be cybersecurity-conscious. However, cybersecurity threats have evolved to where it doesn’t matter where an employee is in the organizational depth chart. Cyber criminals are not just looking to target the CEO. They are happy to target anyone who can get them into an organization’s network.

Therefore, it is imperative that organizations keep their employees up-to-date with the ever-changing landscape of cybersecurity.

Increased Phishing Scams and COVID-19

Recently, the Secret Service informed corporate America that fraudulent emails connected to COVID-19 were being spread at an alarming rate. Fraudsters are taking advantage of people’s fear of the pandemic and imitating government agencies or companies that employees expect to hear from with updates on the virus.

Malicious individuals are sending emails with attachments that let trackers install malware on computers. This malware could allow hackers to harvest credentials, lockdown the system using ransomware, or even install malicious malware. In most cases, the attachments are Microsoft Office or WordPad files.

However, there are several variations that exist. Cyber criminals are constantly evolving and looking for new vectors to initiate an attack. Corporations need to be on guard and know that they will be targeted. Small businesses and medium-sized businesses also need to have their guard up and their employees trained.

Phishing attacks happen by individuals pretending to be a vendor or a member of the supply chain. They use information that they have gathered to pretend to be entities that would usually be in an email communication with a business. The victim is caught unaware because they received an email from an entity that does not seem out of place.

Cyber criminals will pretend to be government agencies, like the US Department of Health and Human Services. They may request that a vendor provide them a price for PPE or may pretend to be offering PPE for free.

Training Employees to Avoid Phishing Scams

Businesses should not take it for granted that their employees understand phishing scams.

  •   They should clearly explain what a phishing scam is.
  •   Employees must understand that email addresses can be spoofed. Email should not be trusted just because it appears to be sent by a legitimate sender.
  •  Employee training should include the fact that phishing emails usually have language that is threatening or enticing. They may offer money or large prizes. Or they may tell you that your PayPal account, bank account, or credit card have been compromised.
  •  Phishing attacks are becoming more personal and more targeted. This means that they may include the name and email address of the victim.

Employees play a valuable role in keeping an organization safe from phishing attacks. It is worth the time and effort that organizations spend to train their employees and protect themselves from cyber-attacks.