Justin Jackson - Director, Revenue Operations
Sometimes marketer. Aspiring analytics nerd. Donut lover.
The Bottom Line Up Front: Phishing remains one of the top ways cyber adversaries evade your company's perimeter defenses, leading to over $1.7B in losses in the United States during 2019 alone.
If even a well-trained executive can be duped, what does that mean for the rest of your company?
The email looked legit. It came from our new CEO, after all. I mean, for crying out loud, his picture was beaming right there in Outlook, a corporately staccato smile peering right back at me.
"Hey, Justin – welcome to the team! I need you to take a look at some onboarding documents so we can get you started right away."
He used my name. It had to be him. I clicked on the attachment. Nothing happened. I clicked on the attachment a second time. Again—nada. Then it hit me.
"Daaaang it! I think I just got phished."
Phishing Isn't What it Used To Be
Even as I look back at this event—years ago at a company I no longer work for—it's embarrassing that I was so easily duped. But the truth is, phishing remains one of the top ways cyber adversaries evade your company's perimeter defenses.
In fact, according to the 2019 Verizon Data Breach Investigations Report, nearly one-third of all successful data breaches involve phishing in one way or another. And that represents a fraction of what it could be, considering ProofPoint's 2020 survey that indicated nearly 90% of all businesses experienced a phishing attack within the past year.
And the costs to businesses associated with phishing compromises are significant. The FBI's Internet Crime Complaint Center reported $1.7 billion in US business losses during 2019 alone—all the result from business email compromise instigated by phishing attacks.
The reason is simple. Employees are soft targets, and are often poorly trained. We humans are engineered to trust, and we become complacent—especially if we believe (or assume) our company already has strong security protocols in place.
Another problem is that attackers are growing more patient, sophisticated, and believable—particularly if they target a specific company or industry. These are not the type of guys sitting behind a keyboard launching emails on behalf of a "Nigerian Prince" looking to move tied up cash from a recent inheritance.
Indeed, while those scams are still working (if you can believe it), the type of attacker we are discussing is quite different. Today’s expert phishing attackers are often part of a very skilled and well-resourced international crime ring. They are diligent in their research and craft very believable campaigns to target your business. And if I could serve as any proof, they are very capable of duping a "relatively" smart person like myself.
OK. So Back to Me.
So, what happened? How did I—a decently trained person with hours of cyber awareness training—fall victim to this phishing attack?
Here's what I've been able to piece together since I joined Pathfynder and learned more about how these hackers operate. And once you look at it from this perspective, it is eye-opening how easily it can happen, but also how preventable it can be with the proper awareness and training.
We recently uncovered an emerging threat actively targeting industrial manufacturing, shipping, and logistics industries. While this example's sensitivity prevents us from publicly sharing more information at the moment, let's just say this attack is being conducted by a very motivated and talented hacker.
And this brings us to the part that is an unfortunate truth to admit. If a capable attacker has zeroed in on your business, they will likely find a way to breach your defenses. There is no such thing as impenetrable walls in today's cyber fight. Assuming everything is OK is a plan destined for failure.
That doesn't mean we concede, open up the gates, and let in the barbarians. We still need to invest in our perimeter defenses. But we MUST test those defenses routinely and train our employees as best we can.
Bottom line: Shifting to the "inevitability of a breach" mindset will force your company's security to become more active and less complacent, which is needed in today's cyber threat environment, particularly when it comes to phishing attacks.
After all, it happen to me, it can happen to anyone.
Related Pathfynder Content:
Pathfynder is a service-disabled veteran-owned small business with offices in Washington, D.C. and Bozeman, MT. Shaped by decades of US military and intelligence community experience, we provide cybersecurity expertise and solutions trusted by small and medium-sized businesses as well as Fortune 50 companies.