Good news – spam is down to just under 50% of all email, according to the June 2015 Symantec Intelligence Report. This is the first time the rate has been under 50% since 2003.
The bad news is the criminal hackers continue to target small businesses. The report states that 38% of spear- phishing targets companies with 250 or less employees. As a comparison, 25% of spear phishing targets companies with over 2,500 employees. Spear phishing are those emails that appear to be from someone or a company that you know. They use fake logos, they may include information about you that is available from a social media site, or they may reference someone senior in your company that the sender got from your company website. The intent to get the recipient to open the email and access a URL or open an attachment that includes malware.
Top Industry Targets
The top three industries with the highest volume of spear phishing are:
• Manufacturing – 22%
• Finance, insurance & real estate – 17%
• Professional services – 17%
Both the manufacturing sector and the finance/insurance/real estate sector were the top 2 targets in May as well.
How to Spot a Spear Phishing Email
Some key flags that might help you identify a spear phishing email include:
• The attachment is a zip file, but the sender was not a known source to the recipient
• The subject line is just “fw: scanned document attached”
• The name in the FROM: field is different than the name in the body of the email
• There are misspellings that don’t make sense for business correspondence
• The domain name has is close but not what you expect from a legitimate sender
• Something about the email just doesn’t seem right. Maybe the recipient isn’t the logical person to receive the request or the recipient doesn’t know why he is receiving the email
Why employees open phishing emails
Studies show between 23% and 30% or spear phishing emails are opened and 11% or more open the attachments. Some of the recipients even suspect it is a malicious email. Which puts your company’s network at risk.
Frequently curiosity is the motivation for opening a suspicious email, with promises of sex, money or social invitations. Studies found that men are more likely to open a phish that promises sex, money or power while women are attracted to emails that include social networking invitations.
There is a higher risk they will open emails at work if they are apt to open questionable emails at home. Curiosity trumps common sense, it seems.
What you can do to reduce the risk
Many people don’t realize that there is a huge risk to computers when a phishing email is opened. They don’t realize that the email is not just a joke or inconvenience, but rather a crafty way to get malware onto the system.
Provide training – give your staff examples of phishing scams and explain how they can identify potential malicious emails. Encourage them to ask advice of someone else before opening a questionable email. If the offer is too good to be true, it is. If the sender is not known, question why that person is contacting an employee.
Educate them on why opening a phishing email can be so damaging to the business – the folks that pay their salary. Have team members take an online free phishing examples quiz like this one from McAfee.
Have staff forward unopened potential phishing emails to a special mailbox. Praise them when they don’t open a scam. Reward them with a gift certificate to the local coffee place or give them a preferred parking space for a week. Small rewards are well worth the savings to your company to reduce the risk of a disruptive malware attack.
To receive posts on your FB page from the NCI including our latest blogs…like us on Facebook
June 2015 Symantec Intelligence Report at https://www.symantec.com/security_response/publications/monthlythreatreport.jsp