When an email attempts to trick recipients into believing an email is from your company and acts on a lure, it’s called phishing.
Phishing is a problem for not only the recipient but also your company!
The FTC has long advised consumers about steps to avoid phishing scams.
But what should your business do if customers contact your company, upset that they responded to a phishing email from a scammer impersonating your legitimate business?
What types of phishing attacks can occur?
Phishing is an insidious cyberattack that may not only involve email messages but also your website or web application:
- Using Social Networks (by impersonating a friend)
- Across Social Media (when impersonating an organization)
- Using SMS / text messages (smishing)
- Direct phone call (vishing)
On the other hand, phishing attacks can also take other forms:
- May use your company’s branding (spoofing)
- Impersonate someone of authority or a support group from your company, initiating a request for information (pretexting).
The mix of messaging platforms, the shape-shifting, and the masking of the attacker’s methods, make phishing attacks hard to defend against.
How does phishing affect a business?
Phishing has resulted in damage to companies that include and accumulate to:
- Insertion of malicious code in your website
- Exposure of personal information (PII)
- Compromised user accounts
- Criminals gaining access to sensitive information related to the company
- Data breach, and a loss of intellectual property
- Disruption of business operations
- Download of malware and a follow-on ransomware attack
- Security breaches
- Damage to company reputation
- Loss of customers
- Loss in company value
- Regulatory fines
So the damage from phishing can harm, and even lead to putting the organization out of business.
Phishing of your good name and reputation is a critical business attack that you need to take seriously to prevent and act on immediately.
Is phishing illegal?
If consumers fall victim to phishing schemes that falsely invoke your company name, they may look to you for guidance on the next steps to take.
Offering immediate advice and support can help you keep the goodwill you’ve worked to develop.
How should your business react to being impersonated?
Here are a list of action you can do to minimize the damages of phishing:
- Immediately check your email authentication records and web server SSL certificates
- Contact law enforcement directly
- Notify customers
- Educate customers
- Request affected customers to forward phishing email samples
- If identity theft is involved, provide resource information
- Update your security practices
1. Immediately check your email authentication records and web server SSL certificates
Check to ensure that all your email servers use SPF, DKIM, and DMARC email authentication. Be sure all your web servers have current SSL certificates.
2. Contact law enforcement directly
If you become aware of a phishing scam impersonating your business, report the fraud immediately to the FBI’s Internet Crime Complaint Center and the FTC Anti Fraud Reporting Center or law enforcement in your country.
3. Notify customers
If you are alerted to a phishing scam where cyber criminals impersonate your business, inform your customers as soon as possible to ignore suspicious emails, text messages, or phone calls pretending to be from your company.
4. Educate customers
Remind your customers that legitimate businesses like yours never solicit personal information from them through insecure channels, like email or text messages.
When you know that customers have been affected, you need to share how they can protect themselves online and avoid phishing attacks.
Ask them to visit FTC resources on recommended computer security practices on the FTC’s consumer information site, or create a web page for customers to see.
5. Request affected customers to forward phishing email samples
Request affected customers who have received a phish to forward any phishing emails impersonating your business to Abusix and the Anti Phishing Working Group.
6. If identity theft is involved, provide resource information
If consumers believe they may be victims of identity theft because of the phishing scam impersonating your business, direct them to the FTC’s Identity Theft site.
There, they can report and get the FTC’s help in recovering from identity theft.
7. Update your security practices
Data security isn’t just a quick checklist. Since threats are constantly growing, your security needs to strengthen.
Best practices to prevent phishing
- Properly configure your mail server
- Add SPF, DKIM, and DMARC to all your mail servers.
- Apply SSL Certificates to all your web servers.
- Apply Two Factor Authentication (2FA) on all web applications
- Install a Web Application Firewall (WAF).
- Install an Applications Delivery Platform (ADP)
1. Properly configure your mail server
Spam, and its targeted mission to phish are active and cause havoc still in 2022. Are your domains and email server secure? Are you counting each employee and customer as a vulnerability?
2. Add SPF, DKIM, and DMARC to all your mail servers
Secure your email domain from unauthorized access using email authentication protocols like SPF, DKIM, and DMARC to ensure that email addresses from your company are genuinely originating from your mail platform, not someone spoofing your identity.
3. Apply SSL Certificates to all your web servers
An SSL certificate is installed on your webserver to ensure that when a web browser attempts to see your website, the SSL certificate enables a secure encrypted connection between the web browser and your web server.
4. Apply Two Factor Authentication (2FA) on all web applications
2FA is a login process that requires two steps to verify a user.
Rather than just asking for a single piece of information to verify a user, an additional step, such as using a temporary identity token (good for only a few minutes) vs. a forever password (sent to a cell phone or from an authenticator) is required to access an account.
5. Install a Web Application Firewall (WAF)
WAFs, provide web applications with security by applying rules to an HTTP session. Since applications are online, they often need to keep specific ports open to the internet.
WAFs detect distributed denial of service (DDoS) attacks in their early stages and absorb traffic volume, making it more difficult for the attacker to try different website attacks against the application and database.
6. Install an Applications Delivery Platform (ADP)
If you host a web application, you likely experience attacks via malformed SSL requests.
Attackers using SSL will tunnel their HTTP attacks to the server.
Inspecting SSL encryption packets is resource-intensive, and traffic during an attack can vary widely. Therefore, if you have a web-based business, consider offloading web traffic to an ADP and inspecting the traffic for signs of attacks or policy violations.
After examination, the ADP will simply re-encrypt the traffic and loop back to the origin.
A phishing attack can be expensive for your business
Businesses pay hundreds of millions of dollars because of phishing attacks.
Facebook & Google paid $100 million each in 2013 and 2015. A Lithuanian targeted them in an impersonation attack of the company, Quanta Computer. All the phish was a fake invoice from a company they both use.
Hundreds of millions of dollars are paid out in ransomware attacks, which always start with a phishing attack.
These numbers are rising rapidly, occurring across many industries, and getting more expensive. No organization is safe.
Banks experienced a 520% increase in phishing and ransomware attempts between March and June 2020. (American Banker, 2020). The average ransom fee requested increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021). The average ransomware attack cost in the higher education industry is $447,000. (BlueVoyant, 2021)
So, phishing isn’t always about compromising a user’s email account.
In the end, phishing results from your company leaving a door or window open or unlocked, resulting in the cybercriminal simply walking in.
Secure your company’s identity, install web application firewalls, monitor and train your employees on how to recognize and react to phishing.
Don’t be sloppy because you could be next and out of business.