3-minute read time
Specific industries, such as government and healthcare, are common targets for phishing attacks. However, the financial industry accounted for nearly a quarter of the phishing scams (at least 1.2 million) in 2022. However, due to the nature of the job, financial professionals must be aware of the significant cybersecurity threat that phishing poses – no matter what industry is being served.
Cybercriminals love to use phishing techniques to gain access to an organization’s finances or data because they are so often successful. They manipulate individuals into taking an action that is against their best interests – such as by clicking on a malicious attachment or sharing sensitive information. You might see cybercriminals send credit card alerts, fraudulent money transfer requests, or even malicious QR codes. All it takes is for one person to fall for their scheme for an organization to suffer from financial loss or compromised data.
Attacks have become more complex over the years due to phishing awareness in organizations increasing. An example is a popular attack known as “spear phishing.” In a spear phishing attack, cybercriminals gather information from publicly available sources or data breaches to create convincing messages. It is highly personalized to the target making it more successful and often more rewarding for them, as you’ll see in our example.
The $200K Accounting Fraud Example
Thinking about how easily someone can fall victim to a phishing scam is concerning. In fact, there was a news story in early 2023 about an accountant working for a city in Ohio who received a seemingly legitimate email from an existing vendor asking to update bank-routing information. The accounting assistant complied with the request and continued about their day – completely unaware of the fraudulent nature of the email.
Unfortunately, the city paid the new account over $200k the next day. Not only did the assistant fall victim to the phishing email, but the protocols that were in place to prevent this scam were not followed.
Making matters worse, the finance director did not immediately report the incident. He waited 35 days to inform his superiors. Not surprisingly, the accounting assistant resigned and the city fired the director shortly after.
Phishing Stops with the You
Highly-targeted attacks make it increasingly important that everyone knows how to identify phishing attacks and that your organization possesses robust cybersecurity measures to safeguard data. Prevent phishing from taking hold within your organization with these 6 best practices:
1. Verify the Sender
Check the sender’s email address and domain to ensure it matches known information. When in doubt, verify the email’s legitimacy by contacting the contact directly by phone or video call.
2. Beware of Urgent Requests
Don’t act on emails that pressure you into doing something that seems inappropriate, requests sensitive information, or otherwise triggers strong emotions in you.
3. Avoid Clicking Links
Verify link legitimacy by hovering your cursor over it to see the URL before clicking. Don’t click on links from unknown, or untrusted, sources. If the email is requesting urgent account action, navigate directly to the site from your web browser to confirm legitimacy.
4. Avoid Clicking Attachements
Never click on attachments from unknown, or untrusted, sources.
5. Enable Multi-factor Authentication (MFA/2FA)
Enable MFA when possible for an added layer of account security.
6. Educate Employees
Ensure that all employees are receiving cybersecurity awareness training so they understand how to identify, and respond to, phishing attacks. Additionally, ensure they receive simulated phishing attacks to hone their skills and to document the effectiveness of your training program.
