Much like political scandals, cyberattacks seem to constantly be in the news, and businesses both big and small must reckon with the threat they pose. Specifically, they must address the threat of attacks that originate in an inbox. According to a recent study by Osterman Research, 67% of malware infections come from e-mail. Most attacks, therefore occur when an employee clicks on an infected link, which then introduces malware into the company’s systems.

How do these attacks happen?
Email attacks can be divided into four basic categories:

• Phishing: these emails are sent to a large number of people, and attempt to “fish” sensitive information by posing as reputable sources such as banks and government organizations.
• Spear-phishing: this strategy is more advanced and more difficult to detect than phishing; consequently, open rates on spear-phishing emails are much higher than those on phishing emails. While phishing involves casting a wide net and sending one email to a large list, spear phishing targets individual users. The attacker researches the company or group, and collects information from social media sites in order to craft personalized messages to users.
• Executive Whaling: cybercriminals will often target C-level executives, who have access to more sensitive information than most employees. This tactic has become increasingly popular since C-level executives are more likely to open suspicious emails, perhaps because they receive so many each day.
• CEO Fraud: also known as “business email compromise”, targets businesses that regularly perform foreign wire transfer payments. While traveling, the CEO’s email will get spoofed, and employees will be asked to transfer large amounts of money out of the country. In January 2015, the FBI reported that cybercriminals had stolen almost $215 million from businesses using this method in the previous 14 months.

Despite the different tactics used by cybercriminals, all of these attacks deploy the same strategy, which is to target gullible users. This problem is unavoidable, as no matter how strong the antivirus software a company has, it will never be 100% effective. Emails will always slip through, and what’s left between a company and a massive data breach are the employees. Businesses therefore see their employees as a liability and a weakness, and try to compensate by buttressing their firewalls. The problem is that some attacks will inevitably slip behind a company’s defenses. If the employees have been left without the tools to combat an attack, the company is left defenseless. The solution is therefore to turn a company’s employees into another layer of protection.

With proper training, phishing victimization rates can fall from 10-25% to 2%. Stay tuned for next week’s article on what an effective cybersecurity training program looks like, and how it achieves its results.