I Can Protect Your Company from Phishing Attacks
I know it sounds like clickbait. But it’s true – I really can.
So for you cynics out there, here’s the TLDR (Too Long, Didn’t Read): Workplace is the answer.
Let me explain:
What is phishing?
Here’s a little dictionary definition to get you started:
‘Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’
Phishing, ‘Smishing’, ‘Vishing’, and ‘Pharming’ are all attacks where the perpetrator tries to trick someone into giving away information.
And as this short Jimmy Kimmel video shows, people are shockingly susceptible to it.
It’s a problem of human psychology: people are quick to form trust, and then they put their guard down.
And when a fraudster pretends to be calling or emailing from your bank or the police, it’s easy to convince people that they’re coming from a trustworthy place.
Why does phishing work?
There are two key reasons:
The first is down to volume.
I can send out a few billion emails at virtually no cost.
I know that a small percentage of these emails will make it through to an inbox. And according to Verizon, 30% of phishing emails are read, and 12% of those who read click the link.
So if you send a billion emails, and just 0.1% make it to an inbox, then you’ve just got 3,600 people to click your malicious link!
Which brings us nicely to the second issue:
People are a lot less savvy than you might imagine.
As the video above shows, it’s all too easy to trick the unsuspecting into giving away info. We ask the least technically minded people in our organisation to defend us from the most dangerous attacks.
If you were running a bank, you wouldn’t ask the IT guy to guard the vault – so why would you ask the security guard to defend your IT infrastructure?
So now that you’ve got an understanding of what phishing is, allow me to scare you with a few stats:
1. Phishing attempts happen every day
95% of all attacks on enterprise networks are the result of phishing.
And according to Symantec, the average user gets 16 malicious emails per month.
That leads to some terrifying maths:
A small company with 30 employees will be at risk nearly 500 times a month.
A company like Coca Cola (with around 60,000 employees) will have to dodge a bullet almost a million times a month.
And the UK government, with more than 5 million workers, needs to protect itself against nearly 86 million attacks per month.
2. People aren’t good at detecting attacks
A global survey of 19,000 people from Intel and McAfee asked people to find the real and fake emails from a selection of ten. Only 3% were able to successfully identify all of them.
In the real world, 76% of businesses say they’ve been the victim of a phishing attack, and the average phishing attack costs a mid-sized company $1.6 million.
And unfortunately, things aren’t much safer when it comes to big businesses. In the last few years, we’ve seen data breaches that have affected:
· 2 million Vodafone customers in 2013
· 145 million eBay customers in 2014
· 32 million Ashley Maddison accounts in 2015
· And 143 million Equifax customers in 2017.
Perhaps worst of all – and ironically – the US Department of Homeland Security had 30,000 accounts hacked back in 2016.
So if you think your team can’t be fooled, think again.
3. Your customers won’t forgive you
According to Deloitte, one in three consumers say they’ll stop dealing with a business when they learn about a breach – regardless of whether they lose anything from the breach.
And according to Aviva, once you’ve had a breach, 60% of your customers will think about moving (and 30% will actually do it).
So how can I protect your company from phishing attacks?
It’s a bold statement – and I promised it wouldn’t be clickbait.
Some of the biggest companies in the world focus on this exact problem, and they’re yet to come up with a foolproof solution.
Is my solution 100% foolproof?
No – or at least, I’m not about to put my mortgage on it.
But it will fix this problem for almost all companies out there. And at its heart, the solution is simple:
Replace email with Workplace
For those of you who don’t know, Workplace is Facebook’s commercial offering.
It shares many of the same features as Facebook, but sits isolated from it.
You log in with a separate corporate identity, the application sits on different servers, and your organisation can log all activity that happens on the platform.
‘But Anthony,’ I hear you say. ‘How can you say Workplace is secure when Facebook is so insecure?’
Well, first of all, Facebook itself isn’t insecure. Phishing[EP1] attacks work because users trust the source. And when people use Facebook frivolously, connecting with strangers and distant friends of friends, that’s where things can go wrong.
Second, your organisation pays for Workplace.
The cost model is completely different. With Workplace, Facebook makes its money through an invoice rather than selling data to advertisers. In fact, Facebook are contractually precluded from looking at your data (you can check out their recent ISO27018 security standard certification for a warm, fuzzy, secure feeling).
With Workplace, you get Workplace Chat, which looks an awful lot like Facebook Messenger. You can talk one-to-one or in groups, and you can send text, images, files or GIFs.
It sounds a lot like email, right? But there’s a big difference:
Anyone can send an email to anyone.
With Workplace Chat, the only people who can use it are those who have been given access by your IT department.
I can send an email to [email protected], but I can’t send a chat message to that person unless I’ve already been approved by IT.
That means you can tell your teams this:
Email can be malicious, but Workplace Chat is safe.
And the result?
By moving from email to Workplace Chat, you’ve just taken the decision-making process away from the average end-user – the person who clicks malicious links 12% of the time.
But what about people outside your company?
Sure, there are parts of the business that will rely on email.
But you can work around that by creating a Workplace integration.
Let’s say you have a courier partner who delivers stock to your shops and sends the store manager an email.
A hacker would try to send emails to that manager masquerading as the courier – and there’s a 12% chance that the manager would click on the malicious link.
Instead, you can work with your supplier to show them how to use your integration to send messages to the manager via Work Chat – or even a bot!
By giving the supplier a token (which is effectively a password) for the integration, you can be sure that you’re getting messages from the real supplier.
And if you ever suspect the token has been compromised, you can reset it.
By keeping everything inside Workplace, you’re letting your experienced IT guys make the call on whether something is trustworthy – instead of your less tech-savvy managers or staff.
I can hear one or two dissenting voices at the back of the room:
‘Workplace is nothing special, I can do that with Yammer, Teams, or Slack’.
To an extent, I agree with you. And if you think you can make it work, go ahead.
If we can reduce the risk from phishing – no matter how it’s done – I’m delighted (especially as a concerned consumer of your brand!).
But in all honesty, I think that Workplace hits the sweet spot for this initiative.
It’s generally used by your communications team for top-down messaging, so it’s primed for educating your teams.
It’s technically capable and gives your IT guys the tools to take control – and importantly, it’s familiar enough to your users for them to embrace it on day one.
As always, I’d love to discuss this with you further. Please comment below or reach out to me via our Multi Company Group.