According to a recently released report from Mimecast, more than 90% of organizations have been hit with phishing attacks, and around one-fifth have suffered financial harm. They surveyed more than 800 IT decision makers, and 94% said their firms had seen phishing attacks in the last 12 months. And a more alarming number: 92% reported targeted (but unsuccessful) phishing attempts.
With that being said, what exactly is a phishing attack or scheme?
“Phishing” is when someone (a criminal) sends an email pretending to be someone they are not. The goal of this email is to obtain sensitive information from the recipient. They are looking to acquire things like usernames, passwords, and credit card numbers. They use tactics like impersonating a CEO, Google representative, or credit card company representative to gain trust or elicit fear/urgency from the targets.
For example, you might get an email that looks like it came from Google asking you to update your password. You click the link and are served a webpage that looks identical to a Gmail login page. The only noticeable difference is a slight change to what the traditional Google URL looks like. By entering your username and password on this page, you have just given the attacker full access to your Gmail account and every other account that you used that same email and password as a log in for (those sites and services are easily identifiable through your inbox). This common Gmail scam is more of the “cast a wide net” approach to phishing.
There is a more targeted version of this threat that is referred to as spear phishing. “Spear phishing” attacks take a more personalized approach, target smaller groups of people using tailored language, and include names of people and companies the recipient is familiar with. This creates a false sense of security, causing the targets to be very vulnerable.
An example of spear phishing is when you receive an email from your CEO or boss with what looks like a Google meeting invite or a link to documents in Microsoft OneDrive. This tactic can be incredibly effective and very dangerous for businesses.
Ever wonder why the number of phishing attacks are skyrocketing? The scam is simple, easy to execute, and profitable for the phisher. But unfortunately, according to a 2017 study done by Cofense (previously known as PhishMe, Inc.), the average cost a of a phishing attach for mid-sized company is $1.6 million. Depending on the situation, these costs could include fines from a variety of regulatory agencies, compensation and settlements to victims, legal fees, investment in new security technologies, and investment in cybersecurity training for employees, not to mention the costs associated with lost business.
Commercial real estate firms are especially susceptible to these attacks. Businesses dealing with private equity and that regularly communicate with investors and customers about financial matters are more frequently targeted because it is not out of the ordinary to pass personal information back and forth. That is why data security is increasingly more important.
How do you protect your business from these attacks?
- Know the signs of a phishing scam
- Are you expecting an email from this person about this topic? If the answer is “no” then investigate the sender a little further.
- Always think twice before clicking or downloading
- Never blindly click a link in an email. Always double and triple check that you know this person and hover your cursor over the link to see if it makes sense.
- Never send social security numbers or financial information via email
- Just don’t do it. Ever. This is the quickest and easiest way to get your identity stolen.
- Verify all websites before providing sensitive information
- Check the URL. If it looks odd, reach out to the service to confirm that it is secure.
- Use different passwords for different accounts or get LastPass
- If one account is comprised, the damage can be minimized by having various passwords for different accounts.
- Get a secure platform for financial document dissemination
- All commercial real estate investing and financial documents should be distributed through a secure platform like IMS.
When it comes to your sensitive information, you can never be too careful or cautious. Email is extremely insecure. File sharing sites use a robust security model but can only be used for document sharing and require users to remember yet another login and password. The IMS Platform has been architected to prevent security breaches by using banking and military level encryption. It is hosted in the largest and most advanced cloud hosting platform, and our cloud operations team ensures we are proactive in addressing any potential security issues.