My grandfather was a fisherman. He left home when he was just a young boy, hitched across the country, joined the Merchant Marines, and spent his teenage years aboard a fishing trawler in the Bering Sea. When I was growing up, he’d put me to bed by telling some of the wildest, craziest fish stories you’ve ever heard.
I thought I’d heard it all and then I got into the IT business. The phish stories I hear about now are sadly, even crazier.
- Phishing emails sent to 3000 businesses contained reported UPS “shipping information.” The link contained a virus that infiltrated hundreds of corporate networks.
- Fake emails from a “corporate executive” requested the personal information of employees for purposes related to tax and compliance. 120 thousand people fell for it.
- Fraudulent emails invited recipients to edit a document using Google docs. One click later, the “phishermen” had access to 3 million Gmail accounts.
So, what’s an organization to do? Phishing is healthcare’s number one threat vector according to this year’s data security report conducted by HIMSS and the statistics are staggering. Nearly a third of all data breaches are phishing related. One in five branded emails are fake. The average financial cost of a data breach is $3.86M.
According to VertitechIT Chief Technology Officer Gerry Gosselin, phishing scams are so effective because they exploit our emotions and prey upon our trusting nature. It’s critical for managers to convey to employees the scope of risk and why it matters in terms that non-technical staff can appreciate. Security isn’t solely the purview of IT; in this age, it’s a responsibility belonging to every member of an organization. Education is key. Statistics show that the average rate of response to phishing simulations falls from 20% to 13% after just three simulation exercises and continues to fall with additional training. Gerry also recommends implementing a response plan so that employees know how to verify a sender’s identity, report suspicious activity to the IT security team, and not be embarrassed to admit if they actually clicked on a suspicious email.
Gerry’s team put together the following list of online videos that can provide a basis for phishing response.
- Know the Risk – Raise Your Shield: Spear Phishing— Office of the Director of National Intelligence
- Stay Safe from Phishing and Scams — Google for Education
- Security Awareness Quick Tip: How to Identify and Avoid Email Phishing Scams – Part 1 — Symantec
- What is Phishing? — Kaspersky
- Cybersecurity Awareness Training – Phishing — ESET USA
Unlike the “reel” world, phishing season never ends. Protect your organization before you catch the big one.