Cybercrime in 2020 reached an all-time high — double what it was the prior year, according to the Anti-Phishing Working Group (APWG), the leading international coalition against cybercrime.1 Billions of dollars are lost every year due to phishing attacks — many of which are preventable. One of the biggest mistakes business can make when it comes to email phishing is simply believing that they have enough protection or that it simply won’t happen to them. Well, every year thousands of companies come to regret that mindset. Could you be next? Review some of the most common phishing scam disasters of 2020 and decide if you could have been a victim.
Payroll and HR Phishing Scams:
The IRS reported a rise in phishing scams designed to steal W-2 forms and other tax information. These are Business Email Compromise (BEC) or Business Email Spoofing (BES) and victims include tax professionals, employers and taxpayers.
Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, announced a security breach in which an undisclosed number of employee Form I-9’s had been stolen by a hacker. The information taken contained the employee’s full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address. Everything a cybercriminal needs for identify theft.2
Web-Based Email Clients Auto-Forwarding BEC Scam:
According to FBI reports, cybercriminals have been using an auto-forwarding scam on victims’ web-based email clients to conceal their activities. They change web-based client’s forwarding rules which often do not sync with the desktop client. This limits the rules’ visibility to cybersecurity administrators. Cybercriminals then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise (BEC).3
Barbara Corcoran, an expert in real estate investment and adviser on TV’s Shark Tank, almost lost $400,000 to a phishing scam when her bookkeeper wired money to a scammer whose email address was one letter off from that of the intended recipients. It was caught just in the nick of time.4
Financial Sector Credential Stuffing:
Credential stuffing is a type of cyberattack in which the scammer relies on the fact that many people use the same email and password combinations for multiple accounts. Once one is broken into, the opportunity to exploit others is apparent. If your company is a bank, financial services provider, insurance company, or investment firm, you’ll want to know that credential stuffing attacks are on the rise. They have accounted 41% percent of total incidents from 2017 through 2019. Victims of credential stuffing experience remediation costs, downtime, loss of customers, and damage to their reputations. To make matters worse, the average credential stuffing attack costs an average of $6 million per year.5
A 51-count indictment was recently filed against 100 Egyptian-based cybercriminals who phished bank credentials and used them to break into the victims’ accounts. Once that was done, the attackers in Egypt communicated via telephone, text messages and Internet chats with their counterparts in the United States to coordinate the online transfer of funds from the compromised accounts to newly created fraudulent accounts.6
Health Care Phishing Attacks:
As you can imagine amid a pandemic, cybercriminals found the healthcare industry to be a great target for data breaches.
In the Spring of 2020, Beaumont Health became a victim of an email phishing attack when malicious actors accessed employee email accounts. As a result, more and 112,000 employees and patients had their medical and personal information stolen which included names, birthdates, Social Security numbers, driver’s license numbers, medical condition data, and bank account information.2
Sadly, regardless of size, no business is safe from email phishing scams and the malicious links or data breaches that they lead to. In fact, one study showed that email phishing scams are on the rise for even for smaller organizations — those with 250 or fewer employees — with approximately 1 in 323 emails being malicious.7
2020 showed us that all businesses — regardless of size and industry — require a new type of diligence, when it comes to email phishing. The surge in remote work and the use of mobile devices will continue to be vital to business success, but it also puts companies at even greater of email phishing scams. To make matters worse, some companies believe that human intelligence is the best defense again phishing threats — putting all of the onus on the employee. That is hardly fair, and hardly safe. There is, of course, a better way.
INKY is the industry’s best solution for the security of your email. Cost-effective and powerful, INKY can be implemented quickly, regardless of whether your employees work at the office or remotely. Uniquely effective at catching phishing attacks, INKY uses computer vision, artificial intelligence (AI), and machine learning, to search for signs of fraud. It works on any device, including mobile, and places highly visible warning banners directly in the email. Based in the U.S. but fighting phishing globally, INKY is the best choice for keeping your company safe from the threats that lurk behind so many emails.
Learn more about what INKY can do for your company and schedule a free demonstration today.
INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.