Phishing and cyber-attacks cost more than you think or can afford
In 2019 IC3 the FBI’s Internet Complaint Center received just under half a million complaints reporting $3.5 billion in financial damage from cyber-attacks. IC3 also reported almost 24,000 business email phishing attacks that cost $1.7 billion in financial loss. There were 100 complaints of payroll diversion scams with a combined reported loss of $100M. In these scams, cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account. The cybercriminal will make changes to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes and then redirect the payroll funds to an account controlled by the cybercriminal.
Zogby Analytics, doing research for the German company HSB, polled 500 executives in small to medium sized businesses across the US. Over half of those contacted said suspicious emails had increased in the last year and over a third said their organization had received an email from someone pretending to be a senior manager or a vendor requesting payment. Regrettably further research showed that almost half of the employees receiving such fraudulent emails transferred company funds resulting in losses often in the $50,000 to $100,000 range and with only 11% being less than $10,000.
According to statistics published by Retruster 90% of data breaches are a result of phishing accounts and phishing attempts have grown 65% in the last year. Webroot says one and a half million new phishing sites are created each month and Verizon says 30% of phishing messages get opened by the targeted user. But the most alarming statistic comes from Inky who says 60% of small or medium businesses that get hacked go out of business after just six months.
Phishing attacks after the reproducible identities that can be used to access accounts can be thwarted by using a security key instead of a password. These security keys provide two factor authentication (2FA) by being attached to your PC or MAC device and then being touched by you. When activated the security keys uses a FIDO protocol to log into the chosen application so there is nothing left to phish! Working with the FIDO alliance many of the most popular sites like Dropbox, Facebook, GitHub, Google and Salesforce support Security Keys based on 2FA. Different security keys can communicate with your PC, tablet of phone using USB, BLE or NFC.
This year the numbers of attacks will likely be up again because so many people are now working at home without the entire corporate IT security infrastructure. It is a time to be extra cautious when opening familiar looking or unsolicited emails and to investigate two factor authentication so phishing
cannot provide the information to duplicate your user identity.