Phishing attacks are no longer just badly-worded emails asking for your social security number.
They are growing in sophistication, persistence, and evolving into more targeted attacks. Furthermore, the majority of cyber incidents now begin with a phishing attack, with some email click rates up to 20%.
Even worse, without having a proper plan in place to combat phishing threats, you'll face legal liabilities from the Federal Trade Commission.
So what's an organization to do?
Jake Bernstien, Attorney at Newman Du Wors, LLP says it's about personnel management, not technological tricks. Training itself is relatively inexpensive, and says that, "by far the best defense is training your people to recognize it, and then practice it.”
Mitch Parker, the Executive Director Information Security and Compliance for Indiana University Health, explains how there’s always going to be malicious people, but you have to train your staff to figure out what’s real and what’s fake.
Communication is key between individuals within an organization, but also with industry and regional peers. If a new type of attack has surfaced, it's important to notify personnel immediately. There is a multitude of resources available, such as ISSA, the CISO Executive Network, and even the FBI that can help in discovering new threats.
It's important to also educate your users for common warning signs that an email may not be legitimate. Most phishing scams will have a false sense of urgency, commanding you to "act now", that normal email communications wouldn't have.
Parker also advises that it's important to create a quick system in place to report incidents, both from the user end, and by partnering with your Service Desk.
So what does phishing prevention actually look like?
According to Wombat's 2017 State of the Phish report, 92% of organizations are training employees on how to spot and avoid phishing attempts (up from 86% in 2014).
However, Trevor Hawthorn, Chief Technology Officer for Wombat Security Technologies, explains that the frequency of phishing may not be growing, the threat is definitely evolving.
61% of those surveyed reported experiencing spear phishing, while 44% reported being phished through phone calls and text messages.
The most important thing to remember is to educate your end users, have an action plan in place, and measure your successes and failures.
To learn more about the state of phishing, listen to SecureWorld's web conference, State of the Phish 2017, here.