By Bill Boeck, Lockton
A strong argument can be made that phishing1 (including its variants, clone phishing,2 spear phishing,3 whaling4 and smishing5) is the most important cyber threat facing companies and individuals today. Phishing allows criminals—known as phishermen—to exploit human weaknesses, to obtain information and access systems that are otherwise well protected. The consequences can be dire and the attacks are hard to prevent, so companies must understand the threat and be prepared for it.
What Is Phishing?
For the uninitiated, phishing involves sending an email that purports to be a legitimate message from a well-known sender. In fact, the email is from a criminal whose goal is to convince the recipient to send confidential information, or to insert malware into the recipient’s computer system.
A typical phishing email might say the recipient’s account could be compromised, asking him or her to “update” information on a spoofed website6 that appears to belong to the legitimate third party. The phisherman then uses the information to steal the individual’s identity. Here is a good example of this type of phishing email:
Phishing emails can have even more sinister and catastrophic uses. Phishing emails are also used to deliver malware into corporate systems, which then transmits confidential information to the phishermen. Such emails reportedly led to the Target breach in 2013,7 to the Anthem breach early this year8 and to other recent high-profile breaches.
This second type of phishing email is frightening. If directed to someone who has the necessary computer system credentials to access confidential data—think C-suite executives or senior information technology (IT) staff—the email may allow the criminals to capture login information or to implant malware that will allow them to completely circumvent safeguards, such as data encryption, firewalls and so on. This is the reason why reports have stated that encryption would not have prevented the Anthem breach.9
Ironically, this second, more sinister type of phishing email is often a precursor to the first type of email directed at consumers. For example, the Anthem breach led to phishing emails just two days after the breach was disclosed. The following is an example:
As fraudulent emails go, this one isn’t too bad. This example needs to be read closely to find the telltale characteristics of a phishing email, which will be discussed later. Take a look at this now, though, and ask yourself whether you would have clicked on this. If not, what would have aroused your suspicions? Don’t feel too bad if you would have responded to this. According to the Verizon 2015 Data Breach Investigations Report,10 23% of people who receive phishing emails open them.
Who Are the Primary Targets of Phishing Scams?
According to a report issued by the Anti-Phishing Working Group,11 in Q4 of 2014 (the most recent quarter for which information is available), just three industry sectors were targeted in more than 75% of all phishing attacks.
What Harm Comes from a Phishing Attack?
The harm to consumers is the most obvious. If someone responds to a phishing email, the information he or she provides is certain to be used for identity theft. Depending on what information is given, this can lead to the fraudulent use of credit cards, obtaining bank loans, theft of funds from bank accounts, filing tax returns and the theft of tax refunds, among other equally concerning events.
Companies that have been phished risk the loss of confidential information. This can include data that will facilitate the theft of money, but can also involve the theft of trade secrets and intellectual property. As seen in some high-profile breaches, a phishing attack may also result in the exposure of information that could be embarrassing to the company and its staff.
A phishing attack can also damage a company’s reputation, even if the company had nothing to do with the attack. Phishermen regularly use the brands of companies to phish consumers. If an attack is large and successful enough that people associate the attack with the company, the company may unfairly suffer damage to its reputation, which could lead to a decline in its business.
While the introduction of malware designed to capture confidential information is a primary goal of phishermen now, a frightening possibility exists. Phishing emails could be used to introduce malware, such as the Stuxnet worm,12 into industrial control systems to cause physical damage. According to a SecurityWeek report, this has already happened to a steel mill in Germany.13 It is easy to imagine lives being lost as a result, in addition to damaging the company’s reputation.
How to Avoid Phishing Losses
It would be ideal to say there are hardware and software fixes companies and consumers can use to guard against phishing attacks. While such defenses exist, they are not cure-alls. In reality, it is essential for email recipients—from a company’s CEO down to each of its customers—to be vigilant about spotting phishing emails to avoid opening or responding to them.
To recognize and prevent phishing attacks, consider the following:
- Companies need to train their employees to identify phishing emails. This is the best defense available, and needs to be implemented mindfully and continually.
- Phishing attacks frequently originate in non-English-speaking countries, so employees need to look for awkward phrasing. This is one of the indicators in the previously mentioned email examples where phishermen posed as Citibank and Anthem.
- Employees also need to check any links in an email, but not by clicking on them. If the link appears to lead to an odd-looking web address, the email may be suspect. Likewise, if the web address is similar to, but not exactly the same as, a known address, that is a good sign the email is a phishing attempt.
- Emails requesting personal information should be treated as suspect. Given the prevalence of phishing attacks, few companies should be sending legitimate emails asking for such information.
- Spear phishing emails often purport to come from someone or an organization known to the recipient. Employees need to be especially careful about any email that does not seem quite right, either in content, phrasing, appearance or in the overall context of the individual’s relationship with the supposed sender.
- When there is any doubt about an email, an individual should verify that it is legitimate. The best place to start is a company’s website. In the case of Anthem, the company states on its website that it will not contact anyone by email. It is also possible to search the Internet using aspects of the suspect email to determine if it is part of a known scam.
How to Avoid Phishing Losses from the Use of Your Brand
For a company whose brand might be used in a phishing attack, there are fewer steps the company can take to protect itself and its customers.
One step would be for companies to clearly state on their website how they will communicate with customers. This will give customers a reference point to help determine if an email is legitimate. The site could also be a place where a company reports known phishing scams involving their brand.
Another step companies can take is to include digital signatures in email messages. Such signatures are cryptographic codes that allow recipients to be certain the email was sent by the specified sender.14 While the technology for digital signatures currently exists, unfortunately many email senders, internet service providers, email client developers and others have not yet implemented the necessary infrastructure.
There are additional email authentication actions companies can take. Email Answers’s article titled, “Phishing Emails: The Unacceptable Failures of American Express,” highlights a good example of the bad publicity a company may face if it isn’t as careful as it could be.15
Phishing and Cyber Insurance
A phishing attack on a company should be covered under a good cyber policy. A policy should cover legal expenses and the cost to investigate what happened. If the attack leads to a data breach, a cyber policy should cover the resulting costs to notify affected individuals, as well as any other costs, such as credit and identity monitoring. Any liability to third parties should be covered under privacy and/or security liability insuring agreements.
In the event the phishing attack results in the corruption or destruction of data, or in business interruption loss, most standard policies will not cover the company’s resulting losses. Such coverage is available, though, and is often an inexpensive policy addition.
If a phishing attack leads to an infiltration of malware that causes physical damage or bodily injury, no standard cyber policy will respond to that loss. Some property policies might conceivably provide some coverage for property damage, but that is by no means certain. Fortunately, insurers are beginning to offer policies that address this exposure.
No cyber policy will cover a damaged reputation sustained by a company whose brand is used in a phishing attack, though it may be possible to cover that loss in a specialized policy.
Better Safe Than Sorry
While phishing is a growing concern and threat in today’s business environment, the awareness of the problem, preventative steps and insurance measures discussed in this article allow companies to combat many of the negative consequences of cybercrime. As phishermen become more advanced in their tactics, so do the security and preventative measures available to companies.
Bill Boeck is the Senior Vice President, Insurance & Claims Counsel, Global Technology and Privacy Practice at Lockton. More than 6,000 professionals at Lockton provide 50,000 clients around the world with risk management, insurance and employee benefits consulting services that improve their businesses. Contact 816-960-9670 or WBoeck@Lockton.com.