Use Caution and Protect Your Business
In 2022, 84% of businesses worldwide were hit with some kind of email-based phishing attack. Ransomware targeted three out of four, or 76%, of them—and nearly two out of three, or 64%, were infected. That’s the eye-opening highlight of Proofpoint’s new 2023 State of the Phish report, which surveyed more than 7,500 employees and 1,000 cybersecurity professionals in 15 countries.
Phishing, business email compromise, and ransomware remain the most popular methods of attack, according to the survey. But reports of evolving tactics, including emails that urge recipients to call telephone numbers or send a text message to bypass multi-factor authentication (MFA), are also increasing.
Proofpoint monitored more than 18 million illicit emails and 135 million phishing attacks submitted by survey respondents over a one-year period. The research revealed significant cybersecurity vulnerabilities—and highlighted the ongoing threat that businesses across North America face from email-based issues.
Nearly 90% of the organizations affected by a ransomware attack in 2022 had a cybersecurity insurance policy in place, and 82% said their insurance companies agreed to pay the ransom. But only 50% of those who paid all or part of a ransom successfully retrieved their data. The United States and Canada represented two ends of the ransomware spectrum, too: companies in the U.S. were more likely to be impacted by ransomware than businesses in other countries, but 89% said they filed a claim with their insurance company after the attack. In Canada, meanwhile, only 24% of the organizations surveyed in the report filed a claim, leaving them far more susceptible to the negative impacts of an attack.
Those consequences are real, too: direct financial losses resulting from phishing, ransomware, and business email compromise increased by 76% in 2022 compared to the year before.
How Can You Keep Your Business Safe? CMIT Solutions has compiled the following five strategies to protect your company from email-based attacks:
- Look out for emails impersonating popular tech companies. The 2023 State of the Phish report found that nearly 20% of all reported phishing emails tried to appropriate Microsoft branding, either with logos, language, or application names like Office and OneDrive. Even more concerning, 44% of the employees polled believe that they could trust an email if it featured familiar branding—and 63% said they would trust that email without double-checking the domain name of the sender. The key here is to treat any unsolicited email as potentially dangerous. (Other commonly spoofed brands include Amazon, DocuSign, Google, and Adobe.) Scanning for typos or awkward phrases in the subject line and body copy, along with unusual sender names or addresses, can quickly reveal whether a message is illicit. Hover over the email address or click for more details to look for straightforward sender domains like [email protected], not long strings of nonsensical characters or unfamiliar dot.net addresses.
- Beware of new telephone- and text-based twists. To capitalize on users’ growing awareness of email-based attacks, some messages now urge recipients to start a direct conversation with fraudulent “call centers” or send a text to confirm their personal information. These twists add a personalized element to phishing schemes, often convincing unsuspecting users to share their phone numbers. Those can then be used to solicit other publicly available information like addresses and birthdates—which can then be used to try and extract account numbers, passwords, and other private credentials. NEVER call or text a phone number for a supposed customer support line that’s included in a suspicious email. Instead, manually navigate to a company’s home page to confirm the number they list before calling it.
- Speaking of never—never open unfamiliar attachments in an email. Scammers will often try to send a fake shipping update that looks like it’s from a company like UPS, FedEx, or DHL to trick users into testing whether it’s real or not. But just one click on an attachment like that can unleash a full-blown ransomware attack on your computer and any network device it’s attached to. If you receive any suspicious email with a file attached to it, immediately mark it as junk or spam. The domain and sender name will then be flagged so that email filters will block messages like it from landing in your inbox again.
- Use multi-factor authentication (MFA) or single sign-on (SSO) to log in to any account. Most major applications have recently rolled out these extra security steps. MFA requires you to enter something you know (your password) along with something you have (a unique code delivered via text message or email). But smart hackers have tried to figure out how to impersonate these prompts, so if you receive something asking you to confirm an email or password without you taking action, be cautious. SSO apps can mitigate that threat by centralizing all two-step login prompts for your business and its employees into one centralized and trusted place.
- Invest in security awareness training for your staff. Most people disregard the need for cybersecurity education or scoff at the idea of simulations that test phishing and ransomware defenses. But seeing examples of the most common scam attempts “in the wild” can actually empower employees to be smarter about scrutinizing suspicious emails. In addition, it demonstrates to your staff that you care about digital security, you’re ready to invest in extra vigilance, and you want to empower them to serve as a first line of defense. In many cases, they will be the ones to block phishing attempts before any data is stolen.
- Wrap that information in extra layers of protection. Data protection is the most critical component of any cybersecurity strategy. Information should be backed up regularly, remotely, and redundantly—automated backups should execute weekly (and often daily) and be stored in a variety of physical and cloud-based locations. In case of a natural disaster or ransomware attack, this is the best way to mitigate the risk of total data loss. In addition, data backups are only as good as their accessibility, so efficient recovery procedures should be built into all data backup plans. This helps companies retrieve their impacted information as quickly as possible and supports a return to smooth business operations.
At CMIT Solutions, we believe in a proactive approach to ransomware protection and email security. Instead of waiting for an inevitable phishing attack or business email compromise to occur, we work 24/7/365 to keep North American businesses safe. We study the latest cybersecurity research and identify vulnerabilities that should be addressed, recommending changes to better protect client data.
If you’re worried about the threat of email attacks or need help beefing up inbox security, contact CMIT Solutions today. We safeguard your important information and mitigate the most common threats your employees face.