It seems that every time you read the news, another organization has suffered a data breach. One of the most effective ways for attackers to gain unauthorized access to an organization is through a phishing attack. Verizon recently shared its 2021 Data Breach Investigations Report (DBIR). After examining over 5,000 confirmed breaches, Verizon found that phishing remains one of the top “action varieties” in breaches and has done so for the past two years. Verizon further discovered that phishing was seen in 36% of breaches – an 11% increase from 2020. Of the breaches analyzed, 85% had a human element that involved a social action such as phishing, stolen or insecure credentials and business email compromise. At Private Advisor Group, 37% of our year-to-date inbound emails were blocked as either malicious or spam. Knowing it’s not a matter of “if” but “when” organizations will be targeted, it’s imperative to take steps and train staff now to protect your business.
What is phishing awareness training?
Phishing awareness training educates users on specific phishing threats they may encounter. This training leverages phishing simulation emails in a safe and controlled environment in order to give the user a realistic experience. The goals are to enhance awareness and for the employee to become familiar and more resilient to tactics used in real phishing attacks. From a corporate perspective, phishing awareness training allows an organization to assess its cybersecurity posture.
Why is phishing awareness training important?
Phishing attacks are constantly evolving to become more complex and continue to grab headlines, with many well-known organizations bearing the brunt of very public fallouts. You may think that cybersecurity and phishing awareness training isn’t necessary unless you’re a nationwide retailer, a bank, or a senior executive with authority. This “I’m too small to be a target” misconception is just what attackers are looking for. If you have something worth selling, you have something worth stealing. If you’re wondering what a breach might cost your firm, small organizations with up to 500 employees have experienced an average breach cost of $2.98 million in 2021.1
What are the most common types of phishing attacks?
- Phishing – The most basic form of a phishing attack where an attacker emails a very large number of recipients, more or less at random, with the expectation that only a small percentage will respond.
- Spear Phishing – A targeted and personalized attack towards a specific individual, organization, or business. Spear phishing emails are carefully designed to get a specific individual or business to respond.
- Whaling – Also known as CEO fraud. Whaling is a phishing attack that is targeted and personalized towards specific senior executives of an organization, i.e., the C-Suite. The main difference between whaling and spear phishing is that spear phishing generally targets lower profile employees.
- Vishing – A type of attack that is conducted by phone, also referred to as voice phishing. Attackers use a combination of fraudulent phone numbers, voice-altering software, and social engineering in an attempt to deceive whoever answers the phone into divulging sensitive information.
- Smishing – An attack conducted using SMS text messages on mobile phones. The messages typically include a threat or enticement to click a link or call a number in an attempt to deceive the recipient.
I received a simulated or real phishing attack. What should I do?
Although your instinct might be to simply delete or ignore a suspicious email, it is important that you report it to your technology and/or cybersecurity provider. If you’ve been targeted by an attacker, chances are that your coworkers have been as well. By reporting suspicious emails, you can help keep your organization safe.
How do I protect myself and my firm?
Private Advisor Group offers access to ongoing security awareness training for our community of advisors. Please contact Phil Coniglio if you are interested in learning more. If you are not currently affiliated with Private Advisor Group, reach out to your organization to learn more about any available ongoing security awareness training.