By mid-2016 over 55 companies including well-known Snapchat, Care.com and Advanced Auto Parts had reportedly been victims of spearphishing attacks targeting employees, each of which caused an enterprise incident in which sensitive employee information was exposed. Spearphishing, a form of phishing in which a hacker attempts to target one or more individuals using finely-tuned, personalized tactics to trick users into breaking security procedures, is the most successful form of phishing on the internet today, accounting for 91% of attacks.
The repercussions of successful spearphishing attacks can be devastating to companies, granting hackers access to internal networks where they can harvest sensitive information about customers and employees.
Once they gain access to these systems, identity thieves frequently obtain employees’ W-2 forms and other personally identifiable information (PII) to carry out any number of identity crimes and/or sell the information on the dark web. Beyond the impact to affected employees and customers, the direct effect of such an enterprise incident can be enormous. The average financial loss of companies that suffered spearphishing attacks was approximately $1.6 million, while their stock prices dropped an average of 15 percent.
Internal IT security protocols can help prevent some spearphishing messages from actually reaching employees. However, some attacks can be so sophisticated that even military-grade cyber security can’t always prevent hackers from accessing private networks via this digital form of social engineering. Such attempts are typically conducted by sending highly personalized emails asking employees to click a link or download a file attachment that unknowingly installs malware or directs them to a malicious site. Skilled hackers can even make messages appear to be sent from trusted and legitimate senders and use other techniques to bypass traditional email defenses. These messages can be difficult to spot and, for this reason, employee education is critical in preventing such an attack.
A good first step is to share these tips with your employees to help them identify potential spearphishing messages. Employees should ensure that any messages they receive don’t contain the following:
- A URL hyperlink doesn’t match the URL displayed in the text
- A sender domain name that is off (example firstname.lastname@example.org versus email@example.com)
- Poor spelling or grammar
- A request to perform an action that the recipient didn’t initiate
- A request to email the sender login credentials
If your company is serious about preventing a spearphishing enterprise incident, you should also consider offering an employee identity protection program from Generali Global Assistance. Our services include online educational resources and access to certified identity theft resolution experts to help employees recognize and prevent spearphishing attempts, as well as an Online Data Protection suite that contains software to identify phishing websites and uses anti-keylogging technology to prevent hackers from collecting sensitive data.
To learn how offering our people-first identity protection can help protect your company, request a demo today.