What is phishing and how does it work?

Imagine your personal information as the fish and the scammer, the fisherman out to catch the fish of the day. The fisherman has many fishing rods on his boat and is constantly casting them, waiting for someone to bite.

Phishing is a method scammers and hackers utilize to lure people into giving up their sensitive and personal information, including passwords, credit card details, banking and payment information, and any other piece of information. The primary method of doing this is through fraudulent email, where the hook is a malicious link that entices you to input private information.

How does phishing differ from SPAM?

Simple… phishing is like fly-fishing. Phishing attacks are targeted, and intentional emails are sent one at a time.  SPAM is almost like casting a big net in the ocean and seeing what turns up. SPAMers send the same email to many email addresses. The content is generic and broad.

What types of phishing emails are there?

There are various types of phishing emails to seek out. In general, they fall into three buckets.

1. 1. Business Email Compromise (BEC) – Targets are primarily employees authorized to initiate money transfers. The game for business email compromise scammers is to have employees in accounting and finance roles provide information to help future social engineering attacks.
   2. Clone Phishing – Everyone is targeted with clone phishing. The game is to create replica emails that imitate legitimate communicating, to trick its target into sharing personal information.
   3. Whaling – Targets are the big game fish in an organization. The game is to specifically target C-Suite employees with crafted content that slowly pulls private information.

What are some examples of phishing attacks in organizations?

Phishing isn’t the endgame for scammers and hackers. It is one part of a bigger game to scam companies out of financial resources. For these examples, imagine them happening in your organization. How do you think employees, clients, and other stakeholders would react?

1. Employees at Wichita State University received an email asking them to input their university ID number and password. This allowed the scammers to access bank account numbers, student records, and other personal information. What happened? The scammers were able to redirect payroll deposits from the employee to the scammers’ bank account. Numerous employees did not get their regular payroll deposit, and that money was gone for good.
2. Several US health service providers have fallen victim to phishing attacks in 2019. The examples are all similar in nature. The employee opens an email, clicks a link, provides some private data (login credentials) that allow the scammers access to the client database. The type of information exposed includes health records, payment information, social security numbers, names and emails, and other financial information.
   Examples of these phishing attacks in 2019 include Prisma Health, Baystate Health, and Catawba Valley Medical Centre. There are many similar examples. While we have grown accustomed to seeing big brand names suffering these types of losses, you can imagine the brand and reputation damage for a local or regional health care provider.
3. For almost three years, employees at Facebook and Google received fake invoices impersonating a large manufacturer they used as a vendor. Over this time, employees sent over $100 million due to this single scammer.
4. While we do not know the specific details in this whaling example, what likely happened is the newly appointed CFO opened his email and saw a money transfer request from an employee. Everything seemed legitimate, and the CFO authorized transfers of over $30 million. It was determined after that those funds went to overseas accounts and were lost. In under one month on the job, the CFO of Xoom was out of a job, and the company had to take a one-time charge of $30.8 million on their quarterly earnings.

How do you spot a phishing email?

Do you think you can spot when you’re being phished? Google has created a simple quiz to see whether you can tell whether or not you’re being phished. Take the quiz here.

Being asked to confirm personal information; a few of the high-level flags to watch for include:

• The website domain or email address is odd;
• The email is poorly crafted;
• There are poor grammar and misspellings;
• There is a sense of urgency that isn’t normal for the person sending the email.

What steps can you take to minimize phishing?

Regardless of whether your company falls victim to a phishing scam, dealing with the flow of phishing is costly to your firm’s operational effectiveness. Employees need to double and triple check before clicking on links and responding to people. IT departments are being forwarded emails to check. Spam filters are being turned up, causing real emails from clients and suppliers to go unnoticed in junk folders and on and on.

While we cannot stop phishing scammers from attempting to hook our information, we can take steps to make ourselves less attractive. Some suggestions include:

• Never click on a link in an email. If your payroll company is asking you to update your information, open a web browser and log in directly instead of going through the link;
• Use complicated passwords and require that all employees use complex passwords;
• Never share personal or financial information in an email. If a phisher does get into your email, you do not want to keep easy to search financial or personal data in your inbox or deleted folder;
• Use email filtering and put a reminder in to check your spam folder from time to time.

Most important is to have a conversation with an insurance broker that specializes in cyber risk transfer. No matter the level of risk mitigation a company takes on, it will never eliminate the cyber risk to their business. Surprisingly, great coverage is often much less than people think.

Let’s have a chat. Email me at sbryson@brysoninsurance.ca!