Phishing is the biggest cyber threat faced by businesses, from small mom and pop stores to SMBs and the largest enterprises. Phishing is the fraudulent practice of obtaining sensitive information by deception, often using social engineering techniques to fool employees into disclosing their login credentials – either directly through emails or websites or indirectly via malware.
While phishing is primarily conducted via email, attacks can occur on websites, via SMS and messaging services, social media networks, or over the telephone. The consequences of a successful phishing attack can be severe, often resulting in costly malware infections, ransomware attacks, loss of customer information, theft of corporate secrets, or sizable bank transfers to criminals’ accounts.
In 2015, the health insurer Anthem Inc., experienced the largest security breach every to affect a healthcare organization. More than 78.8 million plan members’ records were stolen in the attack. The security breach is believed to have started with phishing emails sent to its employees. The full cost of the breach is not yet known, although Anthem has settled a class action lawsuit for $115 million on top of the costs of mitigating the breach. Regulatory fines could also be issued.
The U.S. retailer Target experienced a phishing attack in 2013 that resulted in the theft of customers’ credit and debit card details. Approximately 110 million customers were affected by the breach, with the resultant class action lawsuit settled for $39.4 million. The phishing attack was conducted on a HVAC contractor.
In 2016, an employee of Seagate Technologies LLC was fooled into emailing copies of employees’ W-2 Forms to a scammer. Approximately 12,000 employees joined a class action lawsuit that sought damages for the exposure of their tax information. The lawsuit was settled for $5.75 million.
In December 2015, the Department of Health and Human Services’ Office for Civil Rights (OCR) agreed to its first HIPAA violation settlement over a phishing attack. UW Medicine agreed to pay $750,000 to resolve the HIPAA violations. The breach saw malware installed on its network and the protected health information of 90,000 individuals was compromised. The malware was inadvertently installed by employees who responded to phishing emails.
Metro Community Provider Network (MCPN) settled a HIPAA violation case with OCR for $400,000 in 2017. The PHI of 3,200 individuals was obtained by a hacker following a successful phishing attack.
These regulatory fines and class action lawsuits are only part of the costs that must be covered. According to Ponemon Institute/IBM Security Cost of a Data Breach Study, the average cost of a data breach is now $3.62 million.
In 2016, phishing attacks caused more than $3.1 billion in losses. The true cost of phishing attacks cannot be accurately determined. Many phishing attacks go unreported and even when they are, the losses sustained are not often disclosed.
Phishing attacks take advantage of busy employees who do not stop and think before responding and individuals with poor security awareness. However, anyone can fall for a phishing email. While it was once fairly easy to identify a phishing attempt, phishing attacks are now much more sophisticated and use a wide range of techniques to fool even diligent and security aware individuals into responding and disclosing their credentials.
Organizations that provide security awareness training to their employees can greatly reduce susceptibility to phishing attacks. Research by Cofense, a provider of anti-phishing training and related solutions, suggests training and phishing simulations can reduce susceptibility to phishing attacks by up to 95%.
Through training, organizations can eradicate risky behavior, train employees to stop and think before responding to email and web requests and teach security best practices. Coupled with phishing simulations to reinforce training, it is possible to turn employees into a strong last line of defense.
Combine security awareness training with technologies such as spam filtering solutions to reduce the volume of threats that reach inboxes and it is possible to mount a robust defense against phishing attacks and avoid becoming another data breach statistic.