Let’s think back over the last few hours. Did you check your email? Do you struggle to keep up with the amount of email in your inbox? Do you sometimes just skim over messages in an effort to save time?
If you answered yes to that last question perhaps you should take a moment to further consider just how critically you look at everything that lands in your inbox.
According to a recent Verizon Data Breach Investigation Report, over 20% of users will open a phishing email and 11% will open an attachment infected with malware. Email has become the primary method of communication for many businesses —and phishers know this. They are counting on harried employees not to pay too close attention to the dangerous emails they send.
You may think it is easy to recognize and delete phishing emails that are sent to you, but Intel Security research proves otherwise. 94% of people couldn’t tell the difference between a real email and a phishing email 100% of the time. And worse yet—with executives that number rose to 96%. Scary statistics when it only takes one click to infect an entire organization.
We interviewed Jonathan Levine, Intermedia CTO and security expert to learn more about the threat of phishing and to see what he suggests companies do to protect themselves.
Related Article: Cloud Security: How to Protect Your Business from Data Leaks
Q: Email security and spam seem to have always been a concern for businesses. Why do you think there is a renewed emphasis now?
JL: Up until the last few years, spam has been annoying, but it hasn’t really been dangerous. Now it’s becoming increasingly dangerous. Hacking and malware have gradually moved from the domain of hobbyists to the domain of state actors and organized crime. So it’s becoming more common and more malicious.
Q: Do you think businesses are aware of how sophisticated these attacks have become?
JL: I don’t think they are, because there is a rational underestimation of the risk. It is embarrassing for an executive to admit that their controller wired $10,000 to a bank account in Asia, so most businesses don’t report these attacks and it gets under-reported. If it isn’t making headlines, the likelihood of people learning about it on their own is low. This is why so many businesses don’t take action and why they are at risk.
Q: What's your theory on why they wait until something happens to take action?
JL: think it’s human nature. We are all optimists. We don’t want to believe these types of bad things can happen to us. Why do people let their auto insurance lapse or why are they underinsured? It’s because bad stuff happens, but it doesn’t happen to me. And most of the email you get is not malware, right? So being optimistic is not irrational. However, even though the chance that any one email exposes you to malware is small, once you get that email and click on it, you are infected. This is why the technology is so important; it’s good protection—just in case.
Q: Are you concerned as an executive about the emerging trend of whaling?
JL: I am. C-suite executives suffer from the same cognitive deficits as everyone else. And even if they have higher awareness, there is that optimism that it won’t happen to them. But due to their access to large amounts of intellectual property and proprietary company information, it is extremely important they do everything they can to protect not only themselves but their company.
Q: How can businesses stay on top of security trends?
JL: Ideally the company would have a C-level security officer, but that may only be applicable to larger companies. For smaller companies,maybe legal advisors could help keep them informed. Realistically, staying informed is practically a full time job so outsourcing your security to experts is often a great way to go for any size company. We hear a lot of security concerns about the cloud. People seem to think that it will make your data less secure. But in reality, if the provider is taking security seriously, the cloud solution is actually more secure. Cloud providers have the means to invest much more than any single customer could. So businesses can benefit from the fact that the cloud provider has a large number of customers that they can amortize the security costs across. At Intermedia, we have a full time privacy and security team who are constantly watching the trends so they can bring any concerns to my attention and our CEO’s attention immediately. This helps us stay proactive and responsive—and McAfee, as part of Intel, has a vast security army.
Q: Any final words of advice for businesses that might be reading this?
JL: My best advice is to stay smart about security. Take precautionary steps now to prevent attacks later.
One of the best ways to protect against phishing is through education. We recommend a few tips:
- Be aware of email requests with high urgency that ask you to take quick action. Phishers often prey on employee trust and will spoof executives to get you to comply with high urgency actions like wiring large amounts of money ASAP. Or in my case, losing my matching benefits if I didn’t immediately comply. As a rule of thumb, if you are ever in doubt, double-check the request with the sender either by phone or by composing a new email—never reply to the email itself.
- Never give sensitive personal or financial information over email. Trusted parties will never ask you for personal or financial information through email (e.g., social security numbers, account numbers, credit card numbers, passwords, etc.). Be cautious of emails that ask you to call a phone number to update your account information as well.
- If an offer seems too good to be true, it probably is. Offers ofbig bonuses, large payments or gifts (e.g., win a free iPad) are ways attackers try to get inside your head. If the promise is “too good to be true,” do some research into the individual or company before taking action.
- Think about whether you initiated the action. Phishers will try to spoof well-known companies to have you reset your password, update your account or track a shipment. Always be suspicious of unsolicited email, if you didn’t prompt a password reset — don’t click the link.
To learn more about the threats of phishing and additional tips to protect your company, read Intermedia and Intel Security’s new free eBook, Harpooning Executives: How phishing evolved into the C-suite. And don’t forget to follow the conversation online at #phishingevolves.