Phishing attacks target the time-poor, leaving devastating impacts on small businesses
There’s been lots of discussion among our IT peers around security awareness training and following your gut. But what Manage Protect is hearing through our partners is that our end customers, people in small businesses (including the IT savvy, and those who are less so) are not picking up on a lot of phishing emails which… well.. look real.
Our gut instinct largely comes from our subconscious brain’s ability to process large amounts of sensory input that is correlated in a way that our analytical brain cannot.
While we should always take heed of our gut instincts, in the age of targeted phishing email attacks, I just don’t think this is a reliable detector. In fact, it can also give us a false sense of confidence.
It’s not like the old days when spam was designed to be clicked on by those who were most likely to be successfully duped by a bad actor. For most of us, it was quite obvious that a scam was indeed a scam.
Why phishing attacks targeting time-poor employees are successful
Now, these emails are being crafted ever so subtly and carefully that the target recipient (who is probably juggling more, and struggling with working from home), will multi-task while reading an email and quickly respond rather than spending an appropriate amount of time analysing it.
How many of us even read a full email from start to finish these days? Or do we just scan it to understand the key points and what actions to take? How many of us read it on a device like a phone or tablet that doesn’t provide the full email address or details of the sender?
Many of us see emails as a task or request for information. If it’s from a colleague, or someone we expect, then we try to help out, get the task done and move onto the next task — myself included.
Unfortunately, the intentional targets of many of these phishing attempts are busy people in small to medium businesses (SMBs). These people have access and the authority to perform financial transactions, or to disclose information which then allows an impersonator to escalate their attack.
A typical phishing attack
A good example of an opportunistic phishing attack we’ve recently seen is a new staff member starting at a business. The company happily shares an announcement on their blog and social platforms. It’s also relatively easy to find the person who handles payroll in that business on professional platforms, as well as their email address.
The impersonator crafts an email to payroll from the new employee, maybe a week or two into their role. The email reads “Hello, I have just changed my bank account details — how do I go about getting my pay deposited into the new account?”.
The person in payroll reads the message on a phone and can’t see the sender address, just the name offered in the email header.
No one in the business knows the new employee very well. They don’t know how he/she generally interacts, so there’s no suspicion raised when a request like this comes through. The person in payroll updates the new employee’s bank details and deposits pay as usual for that pay run – or so they think.
Protecting businesses from phishing attacks
In Australia, there is no way to retrieve money from the receiving bank once direct deposit funds are sent, so prevention and detection of such phishing attempts is pertinent.
It only takes one unintentional slip up to lose thousands of dollars (or more!) to cripple or put small companies out of business. Unfortunately, the smaller the business, the more devastating the impact tends to be.
In this day and age, when we consider the likelihood of phishing attempts and the potential impact of a successful phishing attack, the investment in tools to protect a business seem insignificant in comparison.
– Andrew Johnson, Managing Director
Solution
When Manage Protect was investigating solutions trained on phishing attempts, there were few which met our criteria. Based on our mission to uncover a best-of-breed solution, we found a tool based on artificial intelligence, machine learning and deep data science to decipher a phishing attack from ordinary emails.
