By Mike Petsalis
Email gets a bad rap. It’s treated as a cumbersome messaging system that was invented to work on the system that came before the internet, and has been rumored to be “dead” or dying for years now. Yet, it is still used extensively wherever communication is necessary for normal business operations. Its openness is what makes it useful, but also insecure.
Fortunately, email security and the measures organizations can take to stop email threats have advanced sufficiently to still make email indispensable in its openness. However, one method of attack still makes some emails frightening to entrepreneurs, managers, and employees everywhere: targeted phishing. Targeted attacks are driven by manipulation and deception, leading to compromised accounts and the theft of money and data.
Phishing has rapidly become a lucrative business for fraudsters, and has made the need for awareness and protection more important than ever.
Targeted phishing is not just about password reset messages and fake support emails. It often involves complex social engineering ploys to get information or money out of someone. It’s a modern con that knows no borders, has a low barrier to entry, and offers an open door to millions of potential marks populating the ranks of businesses worldwide.
In 2017, according to the FBI’s Internet Crime Report, business email compromise (BEC), a form of targeted phishing intended to defraud business, cost the average target over $43,000. In May of 2018, the FBI updated its numbers, stating that reports indicated the threat had cost businesses more than $12 billion over the last five years. What’s more, because these frauds are so embarrassing when they do occur, and because there is very little recourse made available by law enforcement, these figures are most likely underreporting the issue, making the threat even more concerning.
As Equifax and other headline-dominating large scale breaches loom, individuals and businesses should also be concerned that more targets are created every time a major data breach occurs. Beyond the clear risks posed by compromised Social Security and credit card numbers, the data could be used to glean even more information and generate easy access to potential targets with seeming social proof. These knock-on effects of data breaches make rapid response and staff awareness even more important.
Beside the risks to businesses and consumers alike, there are two primary means by which targeted phishing causes the most damage: the installation of malware onto a victim’s computer and the social engineering of a fraud.
On the malware front, ransomware makes a lot of headlines, but it’s direct expenses often pale in comparison to its secondary consequences; the average complaint to the FBI was for $600. Though when the National Health Service (NHS) in England was hit with the WannaCry ransomware, the overall cost in productivity and efficiency it created far outweighed the direct cost of ransoms paid.
The FBI recommends NOT paying ransoms when ransomware does strike, as there is really no guarantee your content hasn’t been deleted or that it would be unlocked upon payment. Other malware includes exploits, such as keyloggers, which run without a user’s knowledge, and steal passwords and account information in the background. Trojans can also steal and download data for years while remaining invisible, as was the case in the notorious U.S. Office of Personnel Management data breach.