Social engineering – the act of manipulating people into disclosing sensitive data – is on the rise, and email phishing is the most prevalent form. Humans are becoming an easier target than defeating modern security appliances as hackers look for the path of least resistance. The attackers are not going to stop at gaining credentials or other sensitive information, either; they often also install malware to capture other sensitive data.

Reported phishing incidents have increased 50 percent year-over-year, according to the 2016 Verizon Data Breach Investigation Report. The draws are many, including a famous 2014 cyber-espionage campaign conducted through a vulnerability in malicious PowerPoint presentations. These so-called spear-phishing campaigns were executed by the "Sandworm Team" – believed to be a Russian-based hacker group – to deliver this malware to foreign government officials and energy sector firms.

Security experts see a 75 percent click rate when they conduct requested test phishing campaigns at organizations. Through convincing web forms, they are sometimes even able to gather credentials and personal information from users. After users have gone through training, the security experts conduct a second campaign to see how effective the initial training was. The click rate dramatically drops to 5-10 percent at that point.

How to Prevent Phishing

Set a strong foundation to prevent phishing in your organization by focusing on the following three areas:

  • Start with a mature security awareness program. C-level executives can be an easy target for spear phishing because their email addresses are typically published on their organization's website. Everyone should go through training on how to identify suspect emails, how to report them and how IT can help communicate current threats.
  • Every organization must have email filtering. The market is flooded with great products, so analyzing the cost and benefit will most likely work in your favor. If your organization uses Office 365, you get email filtering for free – it just needs a little configuration from your IT department.
  • Create and test an incident response plan. Pretend an email gets past your filters, a user gets phished, and you have to limit the impact. Be prepared to identify, report and quarantine a malware attack. Malware works quickly and, according to the Verizon report, only takes days to do its job.

To learn more about e-mail phishing trends,  visit bswllc.com, or contact Bill Gogel, IT Audit Manager, Advisory Services at Brown Smith Wallace, at 314.983.1363 or bgogel@bswllc.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.