Phishing Can Cripple Your Organization – Are You Protected?

What is Phishing?

Phishing is the fraudulent practice of using emails, websites, text messages, phone calls, or other means disguised as trustworthy to trick employees into providing critical information (e.g., passwords, bank information, etc.). Here are some interesting phishing statistics published by Tessian:

  • 75% of organizations around the world experienced some type of phishing attack
  • 96% of phishing attacks arrive by email
  • The most impersonated brands are:
    • Microsoft
    • DHL
    • LinkedIn

The top 3 types of data compromised are:

  • Credentials (passwords, usernames, PINs)
  • Personal data (name, address, email address)
  • Medical treatment (treatment information, insurance claims)

Phishing Impact on Multiemployer Plans:

For the multiemployer benefit plan industry, hackers are most interested in gaining access to data and holding it for ransom. Not only can a data breach result in an undesirable public relations situation, but it can also have direct financial implications from penalties and fines charged by regulatory agencies in addition to individual and class action lawsuits.

How to Protect Your Plan:

  1. Set up defensive email policies and train your employees to spot phishing attempts. Defensive email policies include a spam filter, antivirus solution, web filter, data encryption and more. Train your employees to spot phishing by looking at email addresses, being aware of the most impersonated brands, never entering username/password in any format other than those prescribed by the organization, contacting the organization’s helpdesk when a phishing attempt is suspected, and more. Add a disclaimer on all external emails received that reads, “This is an external email. Do not click on links or open attachments unless you trust the sender” as a security warning  to help employees identify phishing emails masquerading as internal communications.
  2. Utilize multi-factor authentication (MFA) as it requires users to provide two or more factors to access an organization’s system (e.g., text message code, phone call, etc.). Make it a priority to get MFA established in your organization as quickly as possible. Note that most insurance providers are now requiring  MFA to be or remain insured for losses caused by cybercrimes.
  3. Establish and enforce strong password policies. For example, maintain a minimum 8-character length requirement, don’t mandate periodic password resets, ban common passwords, educate users to not use organization passwords for personal use, and more. Strong password policies can effectively battle the cruel mathematics of a brute force attack on the organization.  Don’t overlook the importance of a space within your password if the system allows.  Adding a blank space in your password significantly increases the time it takes to break it.

You never want to find yourself having to choose between accepting data loss or paying a ransom. These are just three recommendations, but there are many more such as effective data backup and business continuity programs.

Author: Ashleigh Hall, CPA | [email protected]

Contact Us

If you’re interested in learning more about how to protect your organization from phishing and other cybersecurity threats, please reach out to a Withum team member.