Phishing. A very strong argument can be made that phishing (including its variants clone phishing, spear phishing, whaling, and smishing) is the most important cyber threat facing companies and individuals today.
What Is Phishing?
For the uninitiated, phishing involves sending an email that purports to be a legitimate message from a well-known sender. In fact, the email is from a criminal whose goal is to convince the recipient to send confidential information, or to insert malware into the recipient’s computer system.
A typical phishing email might tell the recipient that his or her account may have been compromised and ask them to “update” information on a spoofed website that purports to belong to the legitimate third party. The criminal then uses the information to steal the individual’s identity.
Here is a good example of this type of phishing email:
Phishing emails have even more sinister and catastrophic uses though. Phishing emails are also used to deliver malware into corporate systems which then transmits confidential information to the phishermen criminals. Such emails reportedly led to the Target breach in 2013, to the Anthem breach early this year, and to other recent very high profile breaches.
This second type of phishing email is very scary. If directed to someone who has the necessary computer system credentials to access confidential data (think C-Suite execs or senior IT staff) the email may allow the criminals to capture login information or to implant malware that will allow them to completely circumvent safeguards such as data encryption, firewalls, etc. This is the reason why reports have said that encryption would not have prevented the Anthem breach.
Ironically, this second more sinister type of phishing email often is a precursor to the first type of email directed at consumers. For example, the Anthem breach led to phishing emails just two days after the breach was disclosed. Here is an example:
As fraudulent email goes, this one isn’t too bad. You need to read this closely to find the telltale characteristics of a phishing email. I’ll talk about some of those below. Take a look at this now though and ask yourself whether you would have clicked on this, and if not what would have aroused your suspicions. Don’t feel too bad if you would have responded to this. According to the Verizon 2015 Data Breach Investigations Report 23% of people who receive phishing emails open them.
Who Are the Primary Targets of Phishing Scams?
According to a report issued by the Anti-Phishing Working Group, in 4Q2014 (the most recent quarter for which information is available) just three industry sectors were targeted in over 75% of all phishing attacks:
- Retail/Service (29.37% of all attacks)
- Payment Services (25.13%)
- Financial (20.79%)
What Harm Comes From a Phishing Attack?
The harm to consumers is the most obvious. If someone responds to a phishing email the information he or she provides is certain to be used for identity theft. Depending on what information is given this can lead to fraudulent use of credit cards, obtaining bank loans, theft of funds from bank accounts, filing tax returns and the theft of tax refunds, and other equally horrible events.
For companies that have been phished, they risk the loss of confidential information. This can include data that will facilitate thefts of money, but can also involve the theft of trade secrets and intellectual property. As we have seen in some high profile breaches, a phishing attack may also result in the exposure of information that may be embarrassing to the company and its staff.
A phishing attack can also damage a company’s reputation even if the company had nothing whatsoever to do with the attack. Phishermen regularly use the brands of companies to phish consumers. If an attack is large enough and successful enough that people associate the attack with the company the company may unfairly suffer damage to its reputation which leads to a decline in its business.
While the introduction of malware designed to capture confidential information is a primary goal of phishermen now, a frightening possibility exists that phishing emails could be used to introduce malware such as the Stuxnet worm into industrial control systems and cause physical damage. According to this report, that has already happened at a steel mill in Germany. It is easy to imagine lives being lost as a result.
How to Avoid Phishing Losses
I would love to be able to tell you that there are hardware and software fixes companies and consumers can use to guard against phishing attacks. While such defenses exist, they are no panacea. The reality is that it is essential for email recipients, from a company’s CEO right down to each of its customers, to be vigilant about spotting phishing emails so that they do not open or respond to them.
Companies need to train their employees to identify phishing emails. This is the best defense available, and needs to be implemented conscientiously and continuously.
Phishing attacks frequently originate in non-English speaking countries. Employees need to look for awkward phrasing. (That is one of the indicators in the email examples above purporting to be from Citibank and Anthem.)
Employees also need to check any links in an email, but not by clicking on them. If the link appears to lead to an odd-looking web address the email may be suspect. Likewise, if the web address is similar to, but not exactly the same as, a known address, that is a good sign the email is a phishing attempt.
Emails requesting personal information should be treated as suspect. Given the prevalence of phishing attacks few companies should be sending legitimate emails asking for such information.
Spear phishing emails often purport to come from someone or some organization known to the recipient. Employees need to be especially careful about any email that does not seem quite right, either in content, phrasing, appearance, or in the overall context of the individual’s relationship with the purported sender.
When there is any doubt about an email an individual should verify that it is legitimate. The best place to start is a company’s website. In the case of Anthem the company states on its website that it will not contact anyone by email. It is also possible to search the Internet using aspects of the suspect email to determine if it is part of a known scam.
There are fewer steps that a company whose brand might be used in a phishing attack can take to protect itself and its customers.
One step would be for companies to clearly state on their website how they will communicate with customers. This will give customers a reference point to help determine if an email is legitimate. The site could also be a place where a company reports known phishing scams involving their brand.
Another step companies can take is to include digital signatures on email messages. Such “signatures” are cryptographic codes that allow recipients to be certain that the email was sent by the specified sender. While the technology to use digital signatures exists now, unfortunately many email senders, internet service providers, email client developers, and others have not yet implemented the necessary infrastructure.
There are additional email authentication actions companies can take. This article is a good example of the bad publicity a company may face if it isn’t as careful in that regard as it could be.
Phishing and Cyber Insurance
A phishing attack on a company should be covered under a good cyber policy. The policy should cover legal expenses and the cost to investigate what happened. If the attack leads to a data breach a cyber policy should cover the resulting costs to obtain notify affected individuals, as well as any other costs such as credit and identity monitoring. Any liability to third parties should be covered under privacy and/or security liability insuring agreements.
In the event the phishing attack results in the corruption or destruction of data, or in business interruption loss, most standard policies will not cover the company’s resulting losses. Such coverage is available though, and often is not expensive to add to a policy.
If a phishing attack leads to an infiltration of malware that causes physical damage or bodily injury no standard cyber policy will respond to that loss. Some property policies might conceivably provide some coverage for property damage, but that is by no means certain. Fortunately insurers are beginning to offer policies that address this exposure.
No cyber policy will cover reputational loss sustained by a company whose brand is used in a phishing attack. It may be possible to cover that loss in a specialized policy though.