Phishing is, and will continue to be, the cybercriminal’s favorite mode of attack. The reason is because it’s very simple to dupe even the smartest person with a cunning email designed to wreak havoc on an organization. Approximately 97% of employees across multiple industries cannot recognize a sophisticated phishing email. It creates tremendous risk for companies and adds pressure on MSPs to keep them safe. Unfortunately, phishing is here to stay, and the bad guys are only getting better at it.
Types Of Attacks On The Horizon
MSPs should be mindful that phishing attacks will continue to evolve in 2022. They will need to budget accordingly and anticipate spending more funds on preventive measures than they did last year so they can protect their customers’ infrastructure as well as their own. Here’s what to look out for.
Attacks will get more creative. Spoof emails will become more difficult to differentiate from authentic ones. Email users may see clever subject lines with messages such as “changes to your health benefits” or “unusual login detected.” Other popular modes of attack could revolve around declined memberships, fake calls-to-action about subscriptions and billing and payments alerts.
Cybercriminals are also getting savvier with their use of deceptive links. Unsuspecting users may be misled to click on links that then send them to malicious websites. And that’s not it. Methods using artificial intelligence (AI), such as cloning someone’s voice to get them to reveal sensitive information, will become more commonplace.
Clients in certain sectors may require more support. The top five sectors in which employees interact with phishing messages are consulting, apparel and accessories, education, technology, and conglomerates/multi-nationals. There are opportunities here for MSPs when it comes to offering security awareness training as well as the implementation of anti-phishing tools.
Keeping Clients Safe
Phishing prevention requires a comprehensive strategy that incorporates AI, email security, and cybersecurity awareness training. The first line of defense is to invest in AI-based prevention tools that monitor and analyze email communications for behaviors such as the devices’ external senders and employees, whom they message, what time of the day do they communicate, and where they communicate from. This information is used to generate profiles of trusted email senders, then compares incoming emails to these profiles to authenticate the sender and detect and prevent phishing attacks. AI-based monitoring software can even detect false login pages and recognize altered signatures via scanned images. Malicious emails are automatically quarantined so the end-user never interacts with harmful messages.
“Approximately 97% of employees across multiple industries cannot recognize a sophisticated phishing email.”
Email security is another essential tool to combat cybercriminals. Solutions that offer warning banners and flag suspicious emails allow users to quarantine or mark the message safe with one click. Compromised passwords can open the door to cyberattacks. An identity and access management (IAM) tool can combine single sign-on (SSO), multifactor authentication (MFA), and password management into one integrated solution. Another option is password-less authentication, which reduces security risks associated with passwords. It works by authenticating a user’s identity using biometrics, such as fingerprints and one-time passwords that require users to input a code that is provided to them via email, SMS, or an authenticator app.
Finally, an organization is only as strong as its people. Security awareness training is no longer a “nice-to-have”; it is a necessity, and one that can be offered by MSPs as a service. By increasing security awareness, an organization can reduce its chance of having a cybersecurity incident by up to 70%. Security awareness training should be offered when onboarding employees. After that, phishing campaigns should be carried out monthly, since research shows that trained employees start losing what they learned at 4–6 months after each session.
Changing Mindsets Is Part Of The Strategy
It’s hard to argue against cybersecurity training, given the threat landscape, but it can be burdensome. For this reason, many organizations and their employees may not prioritize it, or they’ll skip it altogether. The opportunity for MSPs to offer the training is ripe, with the easy sell that a cyberattack can result in lost revenues, damage reputation, compromise data, cause operational disruption, and even lead to lawsuits.
To engage employees in company training so they don’t see it as a chore or task, it needs to be simple. Training should be delivered in easy-to-communicate content, such as videos. The ideal time frame is 15–30 minutes to ensure maximum retention of what was learned. When it comes to compliance topics, there may be a lot of ground to cover. Rather than making trainings longer, they should be broken up into two or more segments. Whatever the subject matter, training should always be focused on one main idea and provide sample scenarios where participants are asked questions to test their knowledge of best practices.
Another thing to keep in mind is that there are many types of cybersecurity training that target various aspects of security. Topics such as clean desk policy, strong password practices, and how to avoid phishing scams would fall under training for protecting passwords, while data privacy would cover privacy risks and secure connections. Other useful training topics range from physical security to cybersecurity threats such as ransomware, account takeover, and business email compromise, among others. With many employees still in remote or hybrid work scenarios, mobile security training is equally critical, teaching them how to secure their mobile devices and educating them about Wi-Fi security, device management, and backups as it pertains to mobile.
Phishing is not going anywhere, and attacks are only getting more sophisticated. There is tremendous opportunity for MSPs to help their clients with their cybersecurity strategies and solutions. It’s more important than ever to be aware, and stay on top of the latest threats to best advise and protect clients as well as your own business.
Phishing At A Glance
- 1 in 3 employees are likely to click the links in phishing emails.
- 1 in 8 employees are likely to share information requested in a phishing email.
- 60% of employees opened emails they weren’t fully confident were safe.
- 45% click emails they consider to be suspicious “just in case it’s important.”
- 45% of employees never report suspicious messages to IT for review.
- 41% of employees failed to notice a phishing message because they were tired.
- 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.
Manoj Srivastava is the general manager of security for Kaseya’s ID Agent and Graphus companies. He is the co-founder and former CEO of Graphus before it was acquired by Kaseya. Learn more about how to prevent phishing attacks by visiting www.Graphus.ai or www.IDAgent.com.