When it comes to cybersecurity attacks, phishing continues to be effective for hackers and costly for organizations.
The 2022 IBM X-Force Threat Intelligence Index research showed that phishing is the way attackers are getting into organizations 41% of the time. And a successful phish for an attacker comes with a hefty price tag for victims — $4.91 million, in fact, according to the Cost of Data Breach 2022, conducted by Ponemon Institute, and sponsored, analyzed and published by IBM Security®. And the phishing attempts are only getting more personalized and harder to spot.
So how can you tell if an email is legitimate or if it poses a threat? Stephanie “Snow” Carruthers, Chief People Hacker for IBM X-Force Red is a social engineer and works with clients to find potential weaknesses and exploit them before the hackers do. She says that there are five basic warning signs to look for when you get an email.
The best thing people can do is slow down. Take the time to really evaluate what you are seeing. Ask yourself, ‘Do I actually know this sender? Does this request make sense?’Stephanie “Snow” Carruthers
How can individual employees protect themselves against phishing attempts?
“The best thing people can do is slow down. Take the time to really evaluate what you are seeing,” Snow said. “Ask yourself, ‘Do I actually know this sender? Does this request make sense?'”
She adds that knowing when to ask for help is crucial.
“Better safe than sorry, so if you’re unsure, ask your manager and/or the IT team for help qualifying the email. We need to work together to stay safe.”
Finally, Snow cautions against how popularized but outdated advice can be detrimental.
“I still see advice out there telling people to look for bad grammar and spelling errors. Sophisticated attackers aren’t always making those same mistakes any longer.”
Dustin Heywood, Chief Architect of X-Force, STSM, says that the most important defense is to take the time to verify anything someone tells you. For example, say you get an email about a package to be picked up. You can copy the tracking number without clicking on it, go directly to the shipping company’s website and enter in the tracking number on a form.
“Developing the habit of always verifying information makes you much less susceptible to attack. There is not a single business or IT problem that can’t wait for the information to be verified prior to acting,” Heywood said.
How organizations can protect themselves against phishing attempts
According to Matthew DeFir, Executive Consultant, X-Force Incident Response, here are a few things organizations can do to help protect an environment that is experiencing a phishing attack or receives a lot of phish:
- Be sure your employees know what to look for when it comes to suspicious emails by regularly offering phishing awareness programs.
- Turn on external tagging so users can see when an email came from outside their organizations. This will signal to employees that they should proceed with additional caution given that the email originated externally.
- Audit email mailbox rules for new rule creations.
- Implement multifactor authentication for mailboxes. If a universal MFA is not possible, focus on high value users like those in the C-suite or accounts payable, who are most vulnerable to Business Email Compromise (BEC) attacks.
- Install security proxies which can audit and/or prevent traffic to malicious domains and IPs based on reputation or categorization of that domain. DeFir recommends that clients, if they can, use a security proxy to block uncategorized domains. Most legitimate business traffic would be over legit categorized business domains.
“Developing the habit of always verifying information makes you much less susceptible to attack. There is not a single business or IT problem that can’t wait for the information to be verified prior to acting.”
– Dustin Heywood, Chief Architect of X-Force, STSM
Continuous threats require continuous preparedness
The days of ‘left and right of boom,’ where we were thinking about how to prepare for and recover from threats, have passed, explains Laurance Dine, Global Partner, X-Force Incident Response.
“Cybersecurity attacks are no longer a one-off challenge for organizations. They present an ongoing risk with real-world consequences. We need to meet this continuous cycle of threats with a continuous cycle of preparedness, remediation, and recovery,” Dine said. “I cannot emphasize enough how important it is for organizations to not only develop an incident response plan, but to test it regularly.”
According to the Cost of a Data Breach Report 2022, organizations with an incident response team that tested their incident response plan (versus those who did not) saved on average $2.66M in data breach costs.
“The threat landscape is continually evolving,” says Dine. “So, it makes sense that our cybersecurity strategies should continually evolve as well.”
Learn more about incident response planning and threat intelligence here.
This post was created by IBM with Insider Studios.