Email phishing is a security risk for businesses of every size. It’s successful because it relies on users to be trusting (or careless), and click on a link that looks legitimate but actually causes damage.

What is email phishing?

Phishing is malicious email correspondence that tries to get you to “take the bait” by clicking on an infected attachment or embedded link. Spear phishing is a more refined form of phishing where the email appears to come from someone you know.

Once you click, ransomware (that encrypts your files and demands payment to unencrypt them) or malware (that gathers information for the hacker’s future use) is automatically installed on your computer.

Why is it a security risk for my business?

It only takes one errant click to become a victim of email phishing. Small businesses are not immune because everyone has information that can be valuable to a hacker.

These facts from KnowBe4 describe the prevalence of email phishing:

  • 91% of successful data breaches started with a spear phishing attack.
  • 9 of 10 phishing emails are now ransomware.
  • 75 million phishing scam emails are sent every day.

Verizon’s 2016 Data Breach Investigations Report  explains how fast a mistake can happen. They reviewed the results of over eight million sanctioned phishing tests and found the following:

  • 30% of phishing messages were opened by the target.
  • About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed.
  • The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds.
  • The median time to the first click on the attachment was 3 minutes, 45 seconds.

How do I know a phishing email when I see one?

Hackers are clever and they devise emails that trick spam filters and other security tools. They work hard to trick us, too, so we need to be smart when we’re looking at email. One easy step is to teach your employees how to identify suspicious email so they don’t accidentally click. Here are some tips:

  • Don’t open or preview email from people you don’t know or are not expecting.
  • If you know the sender but the subject line is strange, double-check the address. Make sure the address is a reasonable match with the sender’s name and organization.
  • Even if you’re expecting a file, if the file name looks strange, don’t open it.
  • Be careful of,,
  • Delete any request for personal information or offers of help.
  • Don’t unsubscribe from spam, just delete.
  • Open “questionable” Junk email in Junk box. This will disable any links in the email.

You can reduce the email phishing security risks in your company. Simply take a few extra seconds to read your emails and be careful when you click.

If your business needs help managing IT, contact CRU Solutions.