The Corporate Impact of Phishing

Phishing is a hacking technique that uses email and fake websites to trick individuals into divulging confidential information, downloading malware, or both. Your employees are being targeted by daily phishing attacks.

Phishing Background

Phishing is increasing in quantity and sophistication worldwide. Every year, more and more attacks affect the world’s largest corporations. The biggest corporate targets face more than 1,000 phishing attacks a month. Companies of every size need to act in their own defense. There is a lot at stake.

It’s all too Easy

Consider an example of phishing that takes advantage of a common technique: The “You have a FedEx package” email approach. In this type of phishing attack, the email recipient gets a message that appears to be from an address such as service@fedex.com. The email contains a personalized message asking the recipient to click on a package-tracking link.

The problem is that most companies rely on standard spam filtering software to stop these attacks — but most spam filters won’t do the job of preventing the breach because a well-crafted phishing email won’t trigger volume-based spam filters until after your employees have had the chance to be exposed. You need software specifically designed to stop phishing emails to prevent them from reaching your employees.

 

Does this not look exactly like a page on FedEx.com? (Source: itsitphishing.org)

 

The website that the email links to looks totally authentic, courtesy of a hacking technique known as “spoofing,” where a malicious actor mimics the look and feel of a real website. A busy employee could easily click on the link and enter information into the criminal Web page without realizing what was going on. The only tipoff that it’s fake is the URL, http://avoda-ivrit.org.il/wp-content/uploads/fedex.com/fedex.com/logon.do.htm. That link may be further shortened or obscured or be redirected from a link like fedex.fedextrackingz.com.

A very attentive user might notice the suspicious address, but given that the actual FedEx tracking site also has a complex URL “http://fedex.com/apps/fedextrack/?tracknumbers=#&cntry_code=us,” the user might not look that hard. Once the user reaches a malicious website, the phisher can invisibly load malware onto his or her device.

Companies can’t rely on employees to be sufficiently vigilant to avoid falling for this kind of scam. A technical solution is needed, but just as standard email filtering will fail to block well-crafted phishing emails, standard web filtering techniques are ineffective in preventing employees from visiting the malicious web site. They typically rely on lists of black-listed Web sites to block access to known malware sites. This is ineffective against phishing, however, because phishing URLs are constantly changing and a window of even a few hours could be more than enough for your employees to be hacked. What’s needed are phishing-specific tools that can safely investigate every link and block malware sites at the time the employee clicks on the URL. Vade tackles this challenge, discovering thousands of new malware sites every day.

At this point, in our FedEx example, it might be game-over for the security of your corporate network. If the device compromised belonged to a high-level employee then the bad guys likely already have direct access to sensitive emails and documents. If it was a lower-level employee, then the attackers might have to be more patient… but the reality is that they are now behind the firewall and many higher-level employees openly share access and emails with their admins and others with lower-level security access. Your network security has been compromised in either case.

The Cost of a Breach

When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk.

The cost can be stunning.

Reputational Damage

At a fundamental level, brands are built on trust. Similarly, the public disclosure of embarrassing internal communications can create reputational damage that tarnishes the brand. The publicity around a serious breach impacts the perception of the overall brand as untrustworthy for employees, partners, and customers.

Brand is the foundation of virtually every company’s market capitalization. The negative brand effects of a phishing attack on your employees can shave hundreds of millions off your market capitalization.

Intellectual Property Loss

Intellectual property theft can be the most devastating loss of all. Trade secrets, costly research, customer lists, formulas and recipes can all be compromised by phishing. For firms like technology, defense, or pharmaceutical a single design or drug patent could easily represent millions, or billions, in sunk research costs.

Direct Costs

Your organization could also face direct monetary costs from phishing.

Phishing attacks on your employees can also result in fines levied by regulatory bodies in the case of breaches that cause violations of HIPAA or PCI. The costs of providing identity protection or compensation to employees or customers who have their data stolen — as well as theft from your company itself — can easily run into the millions. US firms spend about $12.6 million on the average cybercrime attack.[1] Phishing and social engineering accounts for 13% of annual cybercrime cost for businesses.[2]

What can be done?

It is possible to defend against phishing. Your organization is probably already taking a number of steps to mitigate the phishing risk. However, the increasing sophistication and prevalence of the attacks makes specific anti-phishing defenses necessary. Even highly sophisticated general spam and virus filters are not enough. Companies need security tools that are specifically designed to counter phishing threats. Anti-phishing tools need to be layered on to detect phishing attacks and quarantine suspicious emails and warn recipients before they click on malicious links.

To learn how to protect your business from phishing, visit our Anti-Phishing Solution page.

[1] Source: 2014 Global Report on the Cost of Cybercrime

[2] Source: 2014 Global Report on the Cost of Cybercrime