The worst phishing emails are the ones that look like they come from our inner circle. All of us have a “trusted” list floating around in our head — some coworkers, our boss, a handful of business partners, family members, and, of course, official IT emails. When we get correspondence from one of these people, we don’t hesitate to open it and click through its contents. And that’s when hackers strike.
This basic trust issue is at the root of every hack. Phishing is a universal problem that has detrimental impact on organizations across the board — whether you’re a large enterprise or a small business.
Hackers don’t limit their targets based on size to execute on their objectives. They are creative, persistent, and liberal in their efforts.
Unfortunately, the cybersecurity industry hasn’t treated solutions with this same unbiased approach. Cybersecurity companies typically focus only on the top of the market. Accordingly, existing solutions are built for international enterprises with multimillion dollar security budgets, and small-medium companies are left completely unprotected against targeted phishing.
The truth is, the vast majority of businesses aren’t giant corporations. But they do share the web with big companies and face the same threats — and without the bottomless IT budgets and massive head counts. How’s that fair?
The last year has certainly shone a spotlight on the importance of cybersecurity, regardless of industry or size. Part of the solution has been the cloud. Email services from Microsoft’s Office 365 and Google’s G-Suite have been a godsend for companies ranging from 10 employees to 10,000. You don’t have to run a server, worry about patching, or manage upgrades.
Both cloud services do a great job filtering out the bursts of unwanted emails; but while spam has always been mostly a nuisance, phishing emails are the real threat. Low-volume targeted phishing emails sneak through filters and find their way into users’ inboxes, creating a huge risk for organizations.
Targeted phishing emails live on the opposite side of the spectrum as spam, which can be detected by keywords or by sheer volume. Phishing emails make up just 1 in 5,000 emails on the web, a mere .0002%, but they’re the root cause of more than 95% of breaches.
Let’s reminisce. The valuation-changing Yahoo hack started with a spear-phishing attack on a semi-privileged user. Sony, called the biggest hack in history by many, started with a phishing email. Target was breached through an HVAC company it did business with, and that company fell to a phish. Just this year, a hack brought the Democratic National Committee to its knees. The cause? You guessed it, phishing.
Phishing emails masquerade as correspondence with people or organizations we trust and slide by spam filters and anti-virus scanners. Perversely, the more malicious the phishing threat, the easier it is to sneak past existing defenses.
Finding and stopping these tiny volume but highly pernicious emails takes a different set of tools. It takes cutting-edge technologies like computer vision, machine learning, and high speed web crawling to proactively hunt for phishing infrastructure. It also takes a extraordinarily rare knowledge base. The good news is it doesn’t take expensive firewalls, monitoring tools, resource-devouring integrations, or even encryption.
It also doesn’t require phishing education, which treats hacks like user errors and tries to turn your entire staff into part-time security experts. Those programs can only reduce the number of people who fall for an exploit, not stop them. It’s a bit like fixing a boat so it’s 80% waterproof.
The best fix keeps phish, in their many forms — whaling, spear phishing, business email compromise (BEC), to name a few — out of your inbox all together.
To learn more about Area 1 Security’s affordable targeted phishing solution that integrates seamlessly with cloud-forward companies of any size, visit https://email-protection.area1security.com/
We’re offering our service free for 15 days with no credit card to any organization that wants to see phishing attacks coming in at them stopped in real-time.