Phishing Attacks in numbers: how it affects the corporate world

Published May 3, 2019   |   
arvindl

Phishing attacks use social engineering to manipulate a target into giving away their personal information. The cybercriminal poses as someone you trust (or can trust) and convinces you to share information such as bank account details, addresses or phone numbers.

It takes several forms and uses different channels of communication. The criminals interact with their target in different ways. Including live calls, instant messaging, chats, emails, etc. It doesn’t matter what channel they use. The goal is simple. They want to extort you.

In this article, we are going to discuss recent statistics on phishing attacks. And explain how these attacks work in a corporate environment.

Introduction to phishing

Phishing is a hacking technique. It manipulates a user to visit a fake website or download malware content to give away their confidential information. Over the recent years, phishing attacks on corporates and individuals are increasing in number. And phishers are becoming more and more sophisticated with each attack. Corporations around the world suffer from at least 1,000 phishing attacks every month. So, it’s important for companies to come up with ways to improve their own data privacy and beef up their internal data protection regulations. As well as meet the standards of international data protection laws.

What are the Data Protection Regulations?

The rules and regulations to protect personal information are updated every minute. The bar has been raised for data protection several organisations, as well as international unions. If you don’t know how data is protected across different industries and countries, here’s something that might help.

GDPR

General Data Privacy Regulation (GDPR) is a regulation enacted by the European Union quite recently. The purpose is to protect the privacy of EU citizens by setting out clear requirements and penalties. It processes personal data. The regulation applies to every organisation that stores and processes personal data.

According to this regulation, a user’s personal data can include any information that can be used to identify the user. The GDPR covers all of this data. It includes names, email addresses, phone numbers, home addresses and so on. It also keeps in mind aggregation including gender, ethnicity, birth date, etc. Under this regulation, an organisation is liable to be fined for heavy penalties for a personal data breach.

A personal data breach is defined as a breach of security leading to accidental and unlawful destruction, loss, alteration, and unauthorised disclosure. GDPR requires an organisation to report a breach to the appropriate authorities within three days of discovering the breach.

HIPAA

Health Information Privacy and Accountability Act (HIPAA) is a regulation imposed on healthcare services and vendors or subcontractors of healthcare providers. It protects a patient’s personal information from data breaches. This includes,

  • Conversations between patient and healthcare providers related to the patient’s own treatment
  • Billing information, and
  • Medical information stored by the patient’s health insurance provider

Failure to comply with HIPAA requirements results in a hefty fine to the organisation who leaked the information. It can cost $50,000 for every breach.

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) protects confidential data of credit and debit card users. These organisations store and protect the user’s account number, name, service code, and card expiration dates. However, they are not permitted to store full magnetic stripe data, including CVC Code and PIN Numbers. The penalty for PCI DSS non-compliance can range from $5,000 to $100,000 every month.

The Cost of a breach?

Phishing attacks are popular and hard to predict when they are likely to happen. When someone falls victim to a phishing attack, the whole network and brand are at risk. And the consequent reparation costs can be enormous.

Reputational damage

Brands are made on trust. If a company discloses its user’s database due to weak infrastructure or security, it tarnishes the brand. This impacts the reputation of a company and their customers will lose trust in it. A company’s brand lays the base of a company’s market capitalisation. Negative brand effects of these attacks can cost a company a fortune.

Intellectual property loss

Intellectual property theft is the worst loss. Phishing attacks will compromise trade secrets, costly research, customer lists, formula and product recipes. It’s near impossible to recover from this kind of loss.

Direct costs

Phishing attacks can cost your company big money. These attacks can lead to fines levied by regulatory bodies in case of breaches that violate HIPAA and PCI. The costs of identity protection and compensation to employees or customers who lost their data along with theft would come from the company itself. Phishing attacks account for 13% annual cybercrime. It costs billions of dollars to corporates around the world.

The Change

You can defend yourself against phishing. Organisations are already taking vital steps to fight off the risk of phishing and other such attacks.

As Cyber-attacks get more sophisticated; cybersecurity organisations and institutions make specific anti-phishing defenses imperative. Companies require security tools which will counter phishing threats and attacks. Anti-phishing tools can help to detect phishing attacks and quarantine suspicious emails and warn recipients before clicking on malicious links.

How will it change in 2019?

Phishing attempts have become rampant today. The statistics on phishing attacks show an increase in attacks by 65% since 2017. But how many of these succeeded? It’s hard to get an accurate number for the following reasons:

  • Companies detect phishing attack and control it without involving authorities and notifying outsiders about the breach. The company may choose to resolve the issue and secure their networks, devices, communication channels, etc. It might not stop a powerful attack, but it will fend off several weak attacks that can cost a fortune as well.
  • Only a few companies report such attacks. Some companies don’t realise that they’ve been attacked, until after has long been done. They get a wakeup call only when their breached data is leaked.

It is believed 3 out of 4 business, which is nearly 76% businesses fell victim to phishing in 2017. Since then, 1.5 million new phishing sites have been introduced.