In sport, there’s fishing and there’s catching, but in the world of phishing there is only catching. That is, catching unsuspecting individuals in a web of deceptive emails, gaining their trust and prompting them to give away private information.
What makes phishing so difficult to stop is that it is a crafty, low-tech scheme that relies on people’s trusting nature. Phishing is effective at individual identity theft and disastrous for companies. Whole networks and every device on the network are put at risk when company and customer data is stolen and compromised.
When it comes to defending against a company phishing attack, ultimately you are only as safe as your weakest link…your employees. However, with knowledge and vigilance you can reduce your chances of becoming prey to a phishing attack.
How Phishers Catch Their Prey
Phishing is not new; threats date back to the 1990s. But according to Verizon’s 2015 Data Breach Investigation Report, it’s been on the rise since 2011. The study found that even after years of warnings, 23% of recipients still open a phishing email and 11% open attachments.
Phishing is an attack designed to gain a person’s trust or create a sense of urgency. Many phishing emails appear to come from a trusted source, such as Facebook, Amazon or PayPal, and include links to pages that mimic the authentic sites. Others seem to come from friends and acquaintances. And the subject lines and text are very compelling:
“Your password is compromised and requires an immediate update.”
“Urgent, verify your account information now.”
“Have you seen this?”
When someone clicks the link in the email, either malware is automatically downloaded to the user’s device (or worse to the company network), or the user is instructed to share critical information (account numbers, passwords, even credit card numbers). In the seconds it takes to click and share, the damage is done.
Today, phishing attacks are becoming more sophisticated. Some take the form of campaigns designed to draw in recipients…slowly…efficiently…and surely. Spear phishing is the next generation: rather than sending out an email blast and hoping for results, spear phishing is highly targeted and designed to gain access and sensitive data from a specific company.
Phishing Protection for Your Business
While the low-tech nature of phishing is challenging, you can take steps to defend your company.
- Educate Your Employees: Train every employee to be suspicious and when in doubt, don’t. Warn them to NEVER:
- Click links or download an attachment unless they are certain of the source.
- Respond to pop-up screens or redirects to websites that ask for information.
- Share personal or company information.
- Create a Company Policy: For example, limit access to critical customer data and credit card numbers. Require employees to change passwords every 60 days or so.
- Encrypt Sensitive Data: Install encryption software so that if emails or customer information is compromised, it’s useless without the key.
- Protect Your On-Premise Systems: Installing spam filters, anti-virus, anti-spyware, and firewalls is not fail-safe. However, these precautions can help reduce the number of phishing emails that get through to associates, minimizing the impact of malware downloaded to the network.
- Monitor Your Accounts: Because phishing is a silent threat, you need to check your systems and accounts regularly for any irregular activity.
- Update Software Regularly: As new threats are born, software companies issue updates and patches. It’s important to keep your browser, security and application software current.
- Use Secure Communications Protocols: When you need to submit credit card and account information online, look for https: on the browser address line. This indicates the website uses Hypertext Transfer Protocol over Secure Socket Layer to encrypt the data being sent.
- Install Google’s Password Alert: To help prevent phishing on your Gmail and Google for Work accounts, Google developed a Chrome browser extension called Password Alert. Google estimates that 2 percent of all emails to Gmail are phishing attempts and is working to detect fake Google sign-in pages. But if you do share your Gmail password anywhere but accounts.google.com, Google alerts you to change your password.
- Store Critical Data Off-Site: When you use cloud-based services, such as NetEffect, ask about the network security protocols. Companies like NetEffect employ the latest hardware and software to help protect your critical information.
When criminals go phishing, you don’t want to get caught.