Be Proactive to Avoid Potentially Dire Consequences of Phishing Scams

Recent reports indicate that email phishing scams have been on the rise over this past year, with industry experts expecting the trend to continue. As cybercriminals continue to use these attacks while refining and expanding their scope, there are a number of things companies can do to help defend themselves and, at the very least, mitigate the damages if a phishing attack succeeds.

What Is a Phishing Scam?

Phishing scams are cyberattacks initiated through the use of email. The most basic phishing scams often involve an email that appears to come from someone who is known to the recipient and contains a link or attachment that, once clicked, releases malware onto the recipient's computer or computer network. Another common phishing scam involves an email that appears to come from a technical support "helpdesk" and contains a link that, once clicked, prompts the recipient to enter their login credentials. If entered, the login credentials are then divulged to the criminal, allowing them to gain access to the company's computer system. In a third variation, the criminal sends an email that either appears to come from a company executive (e.g., a CEO or CFO) or a legitimate vendor of the company directing that funds be electronically transferred to a third party (i.e., the criminal).

What Can You Do to Avoid Phishing Scams?

First and foremost, all employees should be trained to treat unexpected or unsolicited e-mails with suspicion. Anything containing an attachment or link should be scrutinized for subtle but significant differences. For example, cybercriminals often make slight changes in e-mail addresses. For example, the legitimate e-mail address bobsmith @ company.com could become something like:

bob.smith @ company.com
bobxsmith @ company.com
bobsmith @ company.com.fake.com
bobsmith @ company.net

Employees should be trained to look for extra letters or characters, inconsistencies in email addresses, or changes in the email extension—anything that is inconsistent with company standards for internal email addresses. For e-mails coming from outside the company, addresses should be checked against known email addresses, especially when the email contains links or attachments that are not expected.

In addition to changes in the email address itself, there may be inconsistencies or differences in email signature/contact information blocks. For example, a legitimate signature block may appear as:

Jane F. Doe
President
Company
123 Main Street
555.555.5555
Janedoe @ company.com

In a phishing email, however, the information could contain slight irregularities that are inconsistent with company signature-block standards:

Jane Doe
President/CEO
Company
132 Main St.
555.555.5500
Janedoe @ company.net

In the example above, there are multiple differences from the legitimate signature block: the missing initial in the name, the different title, the street address numbers switched and abbreviated, the different phone number, and altered email address. While not all phishing emails will contain such glaring differences, there are usually at least a couple indicators of inconsistency with the legitimate company standards.

As for any phishing emails seeking fund transfers, companies should establish practices and policies for the issuance of any electronic payments, and employees should be trained to follow those policies. The easiest way to avoid falling victim to one of these scams is to simply require verbal confirmation from the individual sending the email before any electronic fund transfers are completed.

Look Into Insurance Coverage

Cyber liability insurance is still very much an evolving product. There are multiple types of coverage available, allowing customers to choose which "cyber events" are covered. This directly applies in the context of phishing scams. Some policies will specifically cover or exclude losses resulting from phishing scams or other "social engineering" scams. Recent court decisions have been inconsistent in determining whether losses associated with these sort of scams are covered by general computer fraud or cyber liability policies. Several cases are currently pending before federal appellate courts on these issues. Regardless, as the insurance industry continues to refine policies in the cyber realm, it will be even more important to assess the specific types of incidents and liabilities that will be covered.

Be Proactive, Not Reactive

Unfortunately, cybercrime is not going anywhere any time soon, and data from the past several years has consistently shown increases in data breaches due to malicious cyberattacks, including phishing and ransomware. At the same time, the expectations from government entities and consumers are that businesses will be better prepared to prevent or respond to these attacks. Waiting until your business suffers a breach or cyberattack to address your cybersecurity is no longer sufficient. Businesses are expected to be proactive in their cyber defense by establishing proper policies and procedures, training employees on protecting data and avoiding cyberattacks, and having the means and resources to quickly detect and contain any cyberattack that makes it through the first lines of defense.

Creating data maps (i.e., knowing what private or confidential information your business maintains and where it is housed), establishing data-security policies and practices, and crafting a data breach response plan are simple and relatively inexpensive steps a company can take to be proactive in addressing cyber liability. Conducting vulnerability assessments and penetration testing to identify and address potential weaknesses in your electronic infrastructure is even better. Indeed, these steps are increasingly being mandated by various regulatory agencies, and many expect that broader cyber regulations covering more industry sectors are on the horizon. Moreover, by taking these steps, a company can better assess the type of cyber liability insurance that would be most appropriate for the risks and potential exposure that it may face in the event of a data breach.

In the world of cybersecurity, the expression "an ounce of prevention is worth a pound of cure" is the golden rule. At some point in time, every business will face some sort of data breach or cyberattack. Those businesses that have taken proactive steps to address this eventuality will find themselves in much better positions than those that waited until it was too late.