While there are many new ways hackers are attempting to steal sensitive data, there are still a lot of attacks launched the (relatively) old-fashioned way: through malicious emails.
In fact, 95% of all data breaches begin with a phishing email sent to trick the recipient into volunteering sensitive information, clicking on a malicious link or downloading malware, according to a recent report from email security firm Agari.
The company monitored millions of emails, and ranked different sectors for the likelihood that organizations” brands would be co-opted for phishing emails.
According to the report, users should be most suspicious of emails from these kinds of organizations:
- Financial services — Logically, hackers often turn to banks and other financial institutions when trying to trick users into sending their account numbers, credit card information or other sensitive financial data. In fact, people are seven times more likely to get a malicious email claiming to be from their bank than from any other type of company.
- Airlines and other travel companies — Scammers often send phony flight confirmation emails, usually with the goal of tricking recipients into thinking they”re been mistakenly charged for travel. Then when the victim tries to log into the site or download an attachment for more information, malware is installed or data is stolen.
- Shipping and logistics — One of the most common phishing scams involves an email seemingly sent from the U.S. Postal Service or another agency to notify the recipient that a package was delivered. Typically users are asked to download an attachment or follow a link, leading to malware.
- Online gaming — Many phishing emails are targeting at players of online games and exploit those players” desire to improve their in-game abilities or to install free upgrades for the games. In fact, one study from 2010 found that every day are targeted at online gamers.
- E-commerce — Online shopping sites certainly have the potential to be used by hackers to steal financial information. However, the Agari report found that major retailers have improved their email security to minimize those attacks, making e-commerce the least supsicious sector in this list.
Train users in email security
Phishing attacks aren”t limited to just those kinds of emails. Hackers are always looking for ways to trick users into installing malware or sending sensitive data. Other popular scams include phony requests for charity after highly publicized disasters, messages imitating the IRS or other government agencies, and messages telling the recipient their computer is infected with malware and instructing them to download software to fix it.
IT departments can help keep those attacks from affecting their organizations by properly educating users on phishing attacks. Once helpful tactic is to pass along warnings with examples of the last phishing scams, such as those posted on the website PhishTank.
In addition, IT can ask users to forward any suspicious emails they receive so they can be passed along to the rest of the organization as an example of what to look for.
Experts also recommend giving users these tips on how to avoid falling victim to phishing scams:
- Never send passwords, Social Security numbers, company or personal financial information, or other confidential data in an email message. Remember that financial institutions, government agencies and other organizations will typically never ask for sensitive information to be sent via email.
- Don’t click on any links — often a URL will be embedded in text with the address of a legitimate site but lead to a fake or malicious site. Navigate to the web page manually instead.
- Read the URL carefully — backwards and forwards. In many spear phishing emails and link that looks legitimate will actually be a slightly misspelled version of the true URL.
Don”t help hackers
Another tactic that can help organizations avoid having data pilfered through these scams: Don”t give hackers information that can help them launch their attacks.
Many data breaches these days start with highly targeted spear phishing attacks in which hackers do a lot of background research on an organization they know they want to infiltrate. And a lot of the information they want is made available by the company itself on its website or social networking pages.
To prevent those attacks, experts warn organizations to consider limiting the availability of information that might be harvested by cyber criminals to conduct phishing attacks, including:
- Employee names and job titles
- Email addresses
- Internal project names, and
- Organizational structures.