How phishing affects businesses

April 6, 2015

Phishing used to be an exotic threat, but that was years ago when malicious worms dominated the arena. Much has changed since then, and today phishing routinely hits hard – especially businesses. How does it affect them?

What do they want?

Well, there are many ways, but there’s a single purpose: to steal something. Usually it’s data – preferably financial data and credentials. Phishing is the ultimate kind of social engineering attack. Most of the original attacks leveraging “weaknesses in human interfaces” were one-on-one attacks – effective, but not scalable. Phishing gives the criminals scale and the ability to go after hundreds or thousands of users – all at once.

Cybercriminals create fake emails and websites—meant to look like a popular online resource (a social network, online banking services, or online games – the latter are drawing more and more interest from criminals) and use various social engineering methods – i.e. all kinds of possible trickery – to lure users to the website and make them fill out forms with their personal data. And if users do it, they’ve got them.

For years, phishers increasingly attacked financial services, reaching for the other people’s and businesses’ money, and as we reported last year, phishing in general is undergoing a sort of “commercialization”: tools to commit crime are bought and sold actively, while, as our survey found, “the effectiveness of phishing, combined with its profitability for criminals and the simplicity of the process, has led to a steadily rising number of these types of incidents.”

Thieving spam: it's no longer about just advertising

Trends continued in 2014. Take a look at our new study and updated numbers on the evolution of phishing, and financial damage it inflicts.

Business-gotcha

Of course, commercial companies are more interesting targets, but to reach the corporate funds criminals have to phish-up certain employees, preferably high-level ones. Ideally, attackers would take on accounting/financial officers – i.e. go the shortest route. But it’s not always possible, so they just throw the net waiting hoping that someone gets caught.

According to Global IT Security Risks Survey of 2014, the typical damage of a breach (including the costs of hiring professional services, increased downtime, and lost business opportunities) was $35,000 for small-to-mid-sized business and $690,000 for enterprises.

These figures are quite formidable, and the risks for smaller companies are larger, since their financial stability can be undermined by just one incident.