A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing. The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls. Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization. This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.
Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.
There has been a lot of talk recently about phishing and brand reputation, specifically how phishing attacks often have a major negative effect on how customers view a particular brand. After a phishing attack, many customers lose trust in a brand.
What happens when you lose your customers’ trust?
Successful brands are built on trust. You’ve spent years building your brand and earning your customers’ trust. Don’t leave your brand equity vulnerable to an attack that could cost you your current and future customers.
Your Brand is at Risk
It’s with good reason that, according to Frost & Sullivan, 71% of security executives consider “protecting their brand” as their top priority. Each year, hundreds of brands are targeted by cyber criminals who are launching targeted phishing attacks. According to the most recent Anti-Phishing Working Group (APWG) Phishing Attack Trends Report, the number of brands targeted for phishing attacks reached the highest levels on record last year.
Phishing attacks happen, but can they happen to you? They most certainly can. In fact, there are an ever-increasing amount of high profile attacks reported in the press on a regular basis. Brands who possess customer data that is considered highly desirable to hackers are bigger targets for phishing attacks, but any brand doing business online is at risk.
Brand Damage: The Cost of Phishing to Your Brand
When a brand is attacked, there both are quantitative and qualitative repercussions. The cost of a phishing attack that affects 500 customer accounts can reach upwards of $1.4 million, when you account for the direct financial loss of funds to the cybercriminal plus the strain on internal resources to manage and investigate the crisis. That’s the immediate financial hit that you can expect, but there are long-term costs too – your reputation.
When your customers fall victim to an attack on your brand, consumer perception is that it’s all your fault. Once your brand is targeted, your customers are 42% less likely to do business with you in the future.
This sentiment applies even if the consumer doesn’t fall victim to releasing credentials. Simply receiving a phishing email is enough to write you off. Thus, your brand can be assumed as “guilty by association”. When a consumer is targeted via a phishing attack directed at your brand, the consumer has a negative experience that he/she associates with your brand. Negative experiences will certainly not increase shareholder value.
Adding further insult to injury, the media often takes note of the situation, cementing consumer perception that doing business with you is a risk. While perhaps not fair, your brand becomes caught up in the associated downward spiral. Consumers, fearful of identity theft, choose your competitor.
Be the Brand Consumers Trust
It all comes down to trust.
In many ways, you are the brand that consumers trust. You have a proven track record of delivering quality products and/or services to your customer base. But, cybercriminals are using that same strength and equity of your brand to carry out their mission.
In today’s world, your success as a brand is determined in part, by your ability to protect the safety of your customers. Building a security infrastructure that will allow your customers to do business with you safely is crucial when it comes to keeping and expanding your customer base.
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.