Phishing is something that most of us see every day, and most of us completely ignore it. An email from what seems like a travel agency, telling you that you’ve won a free trip, and asking you to click on a link to redeem your prize. Or a message from a bank or other service provider, asking you to confirm your login details. Hard to even call it an attack. It’s an email.
The threat comes in when the recipient actually does what the email is asking. Clicking on a link, opening an attachment, or providing personal information. That can lead to a host of other problems.
In the early days of phishing, most attacks were of the classic “I’m a Nigerian Prince. Please send money.” variety. Not targeting anyone in particular, hoping that a sympathetic soul would feel compelled to help. Today, very few of us would do anything but delete an email like this.
But what if instead of a prince, the sender appeared to be your bank or a government agency? And what if the request was not for money, but simply that you “click here” to confirm banking information etc.? This is a much more sophisticated phishing attack that uses information about the recipient to appear targeted and authentic. Often, you will be directed to a website that is professionally designed to appear like your bank’s.
And it can get even sneakier than that. If hackers have access to other information, like your email password, they can craft an email that looks like it’s a supplier you actually use, and send it to you at a time when you would expect an invoice from that supplier. Hundreds of businesses have been fooled into sending thousands of dollars to phantom accounts, thinking they were just paying their bills. If this happens, your systems were probably compromised long before the phishing email got you.
A phishing email can be its own cyber-attack (direct ask for money), it can collect information for a later attack (install spyware or ask you to enter sign in credentials), or it can be the final step in a multi-phase cyber attack where spyware, a keylogger or some other malware has already compromised your passwords, and the attackers use stolen information to impersonate a person or institution you trust.
Either way, phishing is bad news for you.
From a business perspective, the best two things you can do to protect from phishing emails are:
Ultimately, the smartest thing you can do to protect yourself from phishing is simple. Don’t click. If you get an email that looks like it’s from a trusted source, look closely at the email address. If you’re expecting an email from Bob at ABC Bank, and you get one from bob@bankingABC.com, open your web browser, find ABC Bank, and confirm whether their emails follow this format. If you’re not 100% sure the email is legitimate, call Bob.
Phishing relies on the recipient to take some kind of action in order to compromise your cyber security. Click smart, and you’ll be fine.
…But because we all make mistakes, and because you can’t control everything your employees do online, it makes sense to have a comprehensive cyber insurance policy that gives you access to an elite cyber response team. It’s more affordable than you think, and it could save your business when the proverbial sh*t comes down. Call one of our dedicated business insurance brokers for a quote today.
Want to add to this story? Let us know in comments below! Mitchell & Whale is a fast-growing insurance brokerage in Ontario, striving to make insurance _not suck_ one customer at a time. Give us a call today to discuss any of your insurance needs at 1.800.731.2228.