Cybercriminals are everywhere, and they are constantly trying innovative and malicious ways to get around your small business’ cyber defenses. One of the most widespread and insidious methods hackers use to penetrate your defenses is known as phishing, where an unsuspecting employee is duped into responding to what appears to be an intriguing email link or a legitimate email from a superior or colleague.
In this blog post, we will describe what phishing is with some common examples and provide some tips on how to best defend your organization from these attacks.
What is Phishing?
Phishing is a malicious attempt to obtain financial or confidential information from companies or individuals, typically by sending an email that appears to be from a legitimate source. The bad guys pose as trusted sources and try to “fish (phish)” for sensitive information from unsuspecting employees.
Common Phishing Examples
Common phishing examples include emails or web links with enticing contests, prizes, or story links that users will be attracted to clicking on; however, when they make the mistake of clicking on the link, they end up providing the cybercriminal with access to the company network.
Another more devious phishing example is what is known as Boss Phishing, where hackers use a simulated email request from a boss or other authority figure, such as a CEO or CFO. These emails appear legitimate at first glance with the proper email address, name, and title, which lulls the employee into a false sense of security. Cybercriminals accomplish this by finding a treasure trove of personal information about company officers and employees, including titles and email addresses, on sites such as LinkedIn and social media sources, which makes the email message seem authentic. However, the email is actually being sent by a cybercriminal who has either spoofed or forged the boss’s email or has hacked into the email account and taken temporary control over it.
One recent successful boss phishing attack involves the “boss” politely asking for the personal W-2 information for all the company’s employees. In other common variants, the “boss” will ask an employee to provide sensitive client information or ask them to transfer company funds to a “vendor” or other supposed trusted account.
Simple Steps to Protect Your Company
We have listed below some simple steps companies and individuals can take to defend against phishing and other sophisticated cyberattacks.
- Have a strict internet and email usage policy for employees.
- Carefully review any email request by checking for typos, awkward language, or any other characteristics that indicate it might not be from the purported sender. For example, one of the most recent Boss Phishing email messages began with “Kindly send me the individual 2018 W-2 …” This polite, awkward phrasing sounds strange, but many employees still responded with the sensitive information.
- Never reply directly to a suspicious email but rather create a new message and type in the official email address.
- Avoid clicking on any links in emails. Any of these links could send you to a site controlled by a cybercriminal or enable them to gain access to your network. If you want to explore a site, type in the website address in a new browser.
- Be particularly vigilant to any requests for sensitive information during tax time or other periods of high-stress for financial and accounting staff, when these employees may be more psychologically vulnerable to phishing scams.
- Company management needs to train staff on these and other simple and proven cybersecurity steps and should remind employees frequently to be aware of new scams.
- Management should announce the latest scams they learn about with detailed descriptions. They should also encourage employees to share any scamming attempts they encounter with the company.
- Limit the number of employees who have access to sensitive company or client information.
- Most importantly, to avoid falling victim to this or any other phishing scam: employees should always verify any sensitive request personally with the boss or other authority figure through secure methods such as the telephone or a company inner-office chat system. This step will ensure that the request is legitimate and will overcome the situation where a cybercriminal has hacked into the boss’s email.
Test and Train Your Employees with Simulated Phishing Attempts
In addition to these important tips, we strongly recommend that your company take advantage of a program similar to that offered under Network Depot’s Security Suite 2020 Initiative, which will test your employees’ responses to simulated phishing attempts. This valuable service will send a series of enticing phishing emails to your company’s employees to discover who will click on the bait. This tool will quickly determine which employees are most susceptible to deception as well as which types of phishing emails are most effective with your staff.
In addition to this comprehensive testing, this type of service will also offer a variety of videos, articles, exercises, and other training tools that will educate and drill your employees on how to avoid being a victim of phishing and other cyberattacks.
Talk with your IT Support Partner
The most important piece of advice we can give concerning cybersecurity and other IT issues is to always consult with a trusted IT Support partner like Network Depot. These experts have encountered all types of determined efforts to breach their clients’ networks and are used to seeing cybercriminals continually adapt their methods. Your IT Support partner will make sure to keep you briefed on the latest scams and will take all the right steps to keep your data safe.
By taking straightforward precautions, testing and training your employees, and consulting with your reliable IT Support Partner, your organization will be able to effectively protect itself against phishing and other cyberattacks and keep your focus on achieving your unique goals.