Phishing attacks spiked as employers across the U.S. shifted to a remote work environment during the pandemic. These kinds of cyber risks cause hundreds of millions of dollars in losses each year.
Phishing plays a part in a wide range of cyberattacks including ransomware, data breaches and business email compromise (BEC) fraud. Even when phishing is not the leading cause of an attack, it’s often used by cybercriminals in preparation of the actual attack.
The cost of both ransomware attacks and BEC fraud have gone up dramatically in the past few years. The average ransom payment increased by more than 400% from 2019 to 2021, and BEC schemes incurred an adjusted loss of approximately $1.8 billion in 2020.1, 2
“In order to protect themselves against phishing attacks and other cyber threats, businesses should be cyber risk aware,” said Tony Dolce, head of professional liability, cyber and tech E&O at The Hartford. “Phishing is always among the leading causes of ransomware attacks because it’s an easy way for the threat actor to gain access to a system. Training employees and implementing email security protocols can help prevent these types of attacks and reducing losses.”
There’s not a single fix that eliminates phishing entirely, but businesses of all sizes and individuals can take measures to prevent a successful phishing attack, Ingerslev noted.
Here are four tips that can help protect individuals and businesses:
1. Check the Real Sender Domain in Emails
One of the primary reasons why phishing attacks work is because the messages invoke an emotional reaction. It might raise your curiosity about an opportunity or the message seems urgent and it needs to be addressed.
For example, an employee may get an email that looks like it was sent from a vendor with a link to download and pay an invoice. However, clicking on that link could open a malicious webpage or download harmful content.
A good way to protect against this kind of attack is to always verify the email is from someone you know or a trusted source.
Be sure to double check the email address of the sender. It’s not uncommon for a threat actor to spoof the name so it looks like it came from a person or company that you’re familiar with. Hovering over the email address will display the domain that the email came from so you can identify if it’s legitimate.
Take a similar approach with any embedded links in the email. Hovering over a hyperlink will show you the URL. If it doesn’t match with what’s displayed in the email or didn’t come from the person or company sending the email, it’s likely a phishing attempt.
2. Protect Your Email Domain and Authenticate Emails
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) are three email security protocols that can help prevent phishing attacks by providing proof that an email is genuine.
SPF works by restricting who can use an organization’s email domain and reduces the risk of spoofing. DKIM ensures that the content of an email hasn’t been altered and DMARC ties SPF and DKIM together by providing instructions about what to do with an unauthenticated email (no action, quarantine or reject). The three protocols work most effectively in conjunction.
3. Use Multi-Factor Authentication To Mitigate Phishing Attacks
Multi-factor authentication (MFA) provides an added layer of security for your employees’ credentials. Businesses faced an average of 5.3 credential comprises over the past 12 months and are spending more to respond to these attacks.4
MFA can help prevent an attacker from gaining access to your business’ computer systems even if a phishing attack is successful in stealing user access information. This protective measure requires more information or details in addition to login credentials. For example, with MFA, a person trying to use one of your employees’ usernames and passwords may need a PIN or approval from another device to authorize the login.
4. Create a Phishing Training and Awareness Program
Phishing attempts target employees. That’s why training and raising awareness about these kinds of cyber risks is critical to protect your business. In fact, research shows that employee training and awareness can reduce average losses of a phishing attack by 53%.5
If you don’t have a training program, it’s not too late to start one. A successful training program should:
- Educate employees on the definition of phishing attacks and provide examples of phishing attempts
- Test employees’ knowledge on a regular basis so they’re being proactive and can identify phishing emails
- Provide resources and information on what to do if an employee believes they fell for a phishing attempt
Individuals can take a similar approach to make sure they know the red flags that can help identify a phishing attempt.
How The Hartford Can Help With Phishing Attacks
From phishing attacks to ransomware, we know businesses of all sizes and individuals face many cyber risks. That’s why it’s important to partner with an experienced insurance company that can help protect your business. If you’re wondering how you can prepare for, respond to and recover from a phishing attack, we can help. Leer más cyber risk insights to help protect your business.
1 Q2 Ransom Payment Amounts Decline as Ransomware becomes a National Security Priority, Coveware.com, July 2021
2 Internet Crime Report 2020, FBI Internet Crime Complaint Center
3,4 “The Ponemon 2021 Cost of Phishing Study”, Ponemon Institute
La información proporcionada en estos materiales brinda información general y de asesoría. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of June 2022.