With no knowledge, employees are tricked to undoubtingly giving access or sensitive data to hackers seeking to harm your business. Phishing (fish-ing noun) is a cybercrime where targets are contacted via telephone, text message or email by someone acting as a legitimate institution to convince people into providing sensitive data like personally identifiable information, credit card and banking details, passwords, etc. But with the right knowledge, you can recognize these cyberattackers without having to dig for answers.
What Do Phishers Do with Your Data?
Once your information is obtained, it is used to access valuable accounts and can result in identity theft and financial loss. Implementing your security measures does little to nothing if your employees are clicking malicious links they believe came from friends or clients- giving away the keys to your business. Phishers attempt to trick employees into installing malware or gain insight for attacks by claiming to be from IT. Train your employees not to hesitate to contact your IT department if they are receiving suspicious calls or emails. Besides email and website phishing, there is also ‘vishing’ (voice phishing), ‘smishing’ (SMS phishing) and various other phishing techniques hackers and cybercriminals are developing.
The first phishing lawsuit was filed in 2004 against a California teenager who created an imitation website for “America Online”. He used this fake website to gain sensitive information from users and access the credit card details to withdraw money from their accounts.
Common Phishing Emails
Too Good to be True - Profitable offers and attention-grabbing statements are designed to attract people’s immediate attention. Many will claim that a prize-winning of some sort like an iPhone, a vacation, a lottery, some lavish prize. If it seems too good to be true, it most likely is! Never click on any suspicious emails.
What’s the Rush? – Popular tactic cybercriminals have in common is to urge you to “ACT FAST!” because the amazing deals are only for a limited time. Some will promote that you only have a few minutes to respond, some will tell you that your account will be suspended unless you update your personal information immediately. These emails are best to ignore. Reliable organizations give you substantial time to update any information needed, and will never reach out to users over an unsecured internet ad.
Hyperlinks – Links can act as the perfect disguise. Hovering over a link shows you the true URL the link will take you to upon clicking it. Usually, it will display a completely different site, or appear to be a popular organization’s website with a misspelling; www.anericaonline.com – the ‘m’ is actually an ‘n’, so look closely.
Attachments – Attachments can be tricky. If you weren’t expecting it, don’t open it! Attachments often hold payloads like ransomware or other harmful viruses. The only file type that is always safe to open is a .txt file.
Unknown Sender – Everyone gets curious. Whether you receive an email from someone you do or do not know, if anything appears out of the ordinary, unexpected or suspicious, do not click on it.
It’s imperative not to leak intellectual properties- not even accidentally. Cybercriminals go to great lengths to obtain sensitive data. Sharing a picture online with a whiteboard, documents or a computer screen in the background could reveal information that people outside of your company shouldn’t see. IT departments are not consistently aware of all cyber threats, so immediately report any security warnings from your internet security software.
If working remote or traveling and plan on using the public wireless Internet, alert your IT department beforehand. If your company offers a Virtual Private Network (VPN), be sure to connect to it over any other network.
Preventing Phishing Attacks
For one reason or another, people can easily be fooled when it comes to online interactions. It’s much easier to trick users, which is why phishing attacks are so excessive. There are countless potential consequences, and identity theft is in the thick of them. Even though hackers are constantly formulating new ways to get what they're after, there are some practices you can utilize to protect yourself and your organization:
- Spam filters can be used to protect against spam emails. Generally, spam filters evaluate the source of the message and the software used to send the message and its image to determine if its spam. Periodically, spam filters will block emails from authentic sources, so the software isn’t always 100% accurate.
- Change your browser settings to prevent deceptive websites from opening. Bowers keep a list of fraudulent websites that will block the web addresses or send an alert message. The browser settings should only allow reliable websites to open.
- Most websites require users to enter login information with a user image displayed. These systems may open to security attacks. To maintain security, change passwords on a consistent basis, never using the same password for multiple accounts. For added security, use a CAPTCHA system for website logins.
- Hover over the URL of all links before clicking them. Secure websites with valid Secure Socket Layer (SSL) certificate will always begin with “https”. In time, all sites will be required to have a valid SSL.
- Bank and financial institutions use monitoring systems to prevent phishing. Individual employees can report phishing threats, then legal actions can be taken against the fraudulent websites. Provide your employees with security awareness training to recognize potential threats.
Spoofing emails sent by cyber-criminals are disguised to appear to be sent by a business that offers services to the users. Most will not ask for personal information via email or threaten to suspend your account for any reason. Generally, banks and financial institutions will provide an account number or other personal details within the content of the email, which assures its source is reliable.
Employees are on the front lines of information security. The more that can be done to regularly educate employees about the modest things to protect their devices can go a long way towards protecting your organization.