The true cost of phishing attacks is difficult to calculate accurately, but the recent Target data breach settlement gives an indication of just how costly phishing attacks can be. The U.S. retailer has recently agreed to pay $39.4 million to resolve class-action claims made by banks and credit unions to recover the costs incurred as a result of the 2013 target data breach.
The claims were made to try to recover some of the cost of re-issuing credit and debit cards to the 40 million or so customers that had their data stolen by hackers. The banks were also required to issue refunds to customers whose credit or debit cards had been fraudulently used after the 2013 Target data breach.
The Target hack was financially motivated. The perpetrators of the crime sold data or fraudulently used credit card information and the personal details of customers. Approximately 110 million customers of Target may have suffered financial losses or had their identities stolen as a result of the 2013 Target data breach.
The settlement will see Mastercard retailers paid $19.11 million, while $20.25 million will be paid to credit unions and banks. This is not the only Target data breach settlement reached this year. The retailer agreed to pay Visa card issuers $67 million in the summer, bringing the total card issuer settlement to $106.4 million; more than the $100 million paid Visa and Mastercard issuers by Heartland Payment Systems Inc. Heartland suffered a massive data breach in 2008 that exposed 100-million+ credit card numbers. The company had to pay out around $140 million in total to resolve the breach.
The True Cost of Phishing Attacks
The settlement could have been considerably higher. Target’s figures suggest that approximately 40 million credit card numbers were stolen by hackers in 2013. The settlement is therefore lower than $1 per credit card number exposed.
In addition to paying $10 million to customers, Target also had to cover the cost of implementing a swathe of additional security measures after the cyberattack to prevent similar attacks from being suffered. One of the most expensive measures was the introduction of microchip-enabled card readers in its nationwide stores.
Then there was the damage to the company’s reputation. Many consumers have stopped using Target and have switched to other retailers. The total cost of the 2013 data breach may not be known for some months or years.
The 2013 Target data breach started with employees responding to phishing emails. Those employees did not even work for Target, at least not directly. The individuals who fell for the phishing scam worked for a contractor: an HVAC company used by the retailer.
Small to Medium Sized Businesses Face a High Risk of Phishing Attacks
Heating, ventilation, and air conditioning subcontractor, Fazio Mechanical Services, was the company hackers used to gain access to Target’s network. Login credentials were stolen from the company that allowed the attackers an easy route into Target’s network.
Organizations often give limited network access to subcontractors to allow them to remotely access IT systems, either to perform maintenance, firmware or software upgrades, monitor performance, or check energy consumption and tweak systems.
If hackers can break through the defenses of the smaller companies, they can steal login credentials that will allow them to gain a foothold that can be used to attack the systems that subcontractors remote into. That is where the big prize is: a database containing hundreds of thousands – or even millions – of confidential records.
Don’t Cover the Cost of Phishing Attacks: Pay for Anti-Phishing Solutions!
Regardless of the size of your organization, it is essential to put protections in place to make it as hard as possible for hackers to penetrate defenses. Phishing is one of the commonest techniques used to steal login credentials, so it is therefore essential that controls are put in place to limit phishing risk.
Anti-phishing measures include anti-spam solutions that block phishing emails from being delivered to inboxes. If malicious attachments are identified and quarantined, less reliance is placed on staff to spot phishing campaigns. Not all attacks come via email. Malicious websites may be visited by employees and malware can be downloaded. Implementing a web filtering solution will help employers to manage phishing risk and prevent these websites from being visited by the staff. Malicious adverts can also be prevented from being displayed to employees. They are increasingly being used by hackers to direct people to phishing sites.
The cost of phishing attacks is considerable, but those attacks can often be blocked. It is much more cost-effective to implement anti-phishing solutions than to cover the cost of phishing attacks when they do occur; and occur they will.