The Cost of Email Phishing

When did email become the weakest link? How can you protect your organization from email phishing attacks?

There have always been problems with people clicking on malicious links and somehow having them sent directly to you seems to make it more likely you will click on it.

One out of every 99 emails is a phishing scam which means that every employee in your organization is getting almost 5 phishing emails every workweek. Unfortunately, most people rely on their email program to filter out such messages.

Phishing Attacks Are Very Common — And Very Costly

Almost a third of phishing emails make it past default email security and 5% of those have been whitelisted by a system admin. There are several very common forms of phishing attacks:

• 41% are credentialing attacks in which hackers try to gain access to the target’s usernames and passwords, costing $400 per account to clean up.
• 51% of attacks are links that prompt the download of malware which can cause an average of $2.4 million in damage when successful
• 0.4% of attacks are spearphishing attacks in which high-level people in an organization are targeted. While these are the least common attacks, they can be the most expensive, averaging $7.2 million per incident.
• 8% of attacks are extortion attempts and when they are successful, they can cost an average of $5,000 per user.

Last year, 64% of information security professionals were targeted by spearphishing attacks while 35% of working professionals don’t even know what a phishing attack means. The cost of phishing comes in more than cleanup – it can also do serious reputational damage.

The average cost of a phishing attack on a midsized business is $1.6 million. There’s lost productivity while everyone tries to halt and undo the damage. There’s also a loss of proprietary data and perhaps the worst of all is the damage to a company’s reputation after a breach. A third of consumers will stop using a business once a breach has occurred and it could take years to recover from such an incident.

It’s Entirely Too Easy To Fall For The Bait

Even if you are in the 65% of working professionals who know what a phishing attack is, it’s still very easy to fall victim. Successful phishing campaigns play to our emotions and sense of urgency. They often feature subject lines designed to scare or cajole us into action.

Subject lines such as “complaint filed” or “open enrollment” make us believe there’s an action that needs to be taken immediately or something bad might happen. It may include losing our family’s health insurance or getting fired from our jobs.

It also doesn’t help that a quarter of phishing emails spoof trusted brands. When you are expecting a package from Amazon and happen to get an email from Amazon in your inbox, it might seem believable enough that you open it to see what’s going on.

The most common signs of phishing include:

• Address of a crypto wallet
• Link to a WordPress site
• BCC to many others
• Shortened URLs
• From a trusted brand
• Link to a file on Google Drive

Because these are all things that have legitimate uses, hackers can exploit them to make us think they are completely safe. Knowing the threat is the best way to avoid falling victim, but that may not be enough. If hackers weren’t so good at what they do, which is understanding human psychology, we would have no need for email scanning software.

It Helps To Have Backup

The existing spam filters in your email program catch a lot of the problems but not all of them. This lulls us into a false sense of security and leaves us believing that if something lands in our inboxes, it’s probably safe.

Unfortunately, this is just not the case. Learning how to avoid phishing attacks and schemes is crucial and it means reminding employees of these tactics on a regular basis. It can also help to get additional email scanning software to catch anything that looks real enough to be a threat.

Learn more about how email became the weakest link and how you can fight back from the infographic below.

Courtesy of Avanan