Phishing is happening every day as employees are tricked to taking the bait and giving access or sensitive data unsuspectingly to those that seek to do your business harm. Your sophisticated security measures don’t stand a chance if your employees click on malicious links they believe came from friends or clients ending up giving away the keys to your business. Cyber criminals are phishing your employees right now, today, at this moment, and here we offer some insight in what we hope makes you more aware and less likely to take the bait. 

Good Cybersecurity Doesn't Guarantee You're Protected

Companies spend millions of dollars on cyber security and obtain an array of security products but unless you pay attention to the human element, you are missing the boat. We, humans, are the weak link in the infosec chain and hackers know it.

In the context of IT security, social engineering refers to the malicious attempts by hackers to get people to perform or act in ways they usually would not - ultimately giving up access to sensitive information. Everything from PII (personally identifiable information) such as birthdates, credit card info, usernames/passwords, etc. to proprietary company information is sought by hackers. A favorite attack used to garner this information is phishing

Phishing Explained

Phishing has been around since the mid 1990’s. It’s still a preferred method by hackers because it’s easy to use and it works. Phishing kits, complete with mailing lists can be purchased on the dark web. Although texting and telephoning could be used, the most popular vector or delivery vehicle of a phishing attack is email. 

phish·ing ˈfiSHiNG noun  |  the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers."

 A classic example of phishing is a bogus email appearing to be sent from a major bank asking the user to click on a link that directs users to a cloned website where the user enters username/password. Now bad people can access your bank account. Phishing is also used to deliver malware such as ransomware by the same means of prompting users to click on links to seemingly safe websites sent from my friends or institutions.

Phishing Protection for Your Business 

Since we humans are the target of these phishing attacks, wouldn’t it be great if we could spot these malicious emails? Using common sense will aid in the detection of phishing attacks as many attacks urgently prompt a user to click on a link.

• Emails from unknown senders with poor grammar and misspelled content are a giveaway.
• Monitor your brand through Google Alerts so when your company name shows up online you receive an email allowing you to find mentions you might otherwise miss. 
• Look for social media impersonators of your brand by doing simple searches. 
• Implement strong anti-spam management
• Train employees and protect an organization from phishing by performing regular phishing tests.

These phishing tests may be the most effective and can be initiated internally to not only determine who would most likely put the company at risk in the event of a real phishing attack but also train employees as well. Tests can be fun while improving the company’s security posture. Competitions among employees with gift cards given to those who spot the most phishing attacks with extra training going to those that need it most can be a great way to train and protect at the same time. 

About the Author

Ron Lenox is a veteran of the cybersecurity field and advocate for protecting business client’s networks and information assets. Ron enjoys traveling, college sports and various outdoor activities with family and friends. Wildlife photography is a special passion of Ron's when he is not busy preparing a great steak on the grill.