As we continue to work remotely and rely on email communications, phishing scams continue to become more sophisticated. Even to the trained eye, they are more challenging to identify.
These scams have been making headlines because they are crippling to businesses. No business, large or small, no industry government or retailer, is safe.
Compromises are happening everyday associated with the ransomware and crypto hackers. A common scenario, you have 20 employees; 1 of those employees gets an email from a known contact or so it looks. Even worse, in some cases it looks like it came from your own CEO. They click on the message, read it, open the attachment or click the link included and BAM! A cyber-criminal has been released into your company network, with access to take over.
You have no idea that an employee just fell victim to the scam. All the sudden, you have customers calling your personal cell phone to ask about this phishing message you just sent. Confused on how they are patched into your cell and not your office phone; you login to check your sent items, only to discover thousands of messages being sent. Employees crowd your office, concerned that they can’t access anything. Files are locked, the phone system is down, productivity is at a halt, and panic sweeps over you.
The nightmare has just begun, these criminals want you to pay a fee for your files and all electronic assets. Now you are given a ransom amount to get your data (if you even get your data back). Now, you have to call the local authorities, pay a certified IT company to handle clean up of your entire network and train your employees to prevent this from occurring again.
Not only did you take a financial hit, but they also sent that same message to all your email contacts targeting more victims, forcing you to spontaneously manage and protect your reputation.
How do you prevent this? It is very important to discuss, train, and implement an ongoing program in your organization to prevent this nightmare scenario from happening in the first place. A simple policy of having a message on all external emails warning users not to click on the links can go a long way.
As our businesses rely heavily on technologies and web facing communications, it is a corporate responsibility to prevent vulnerabilities in our everyday use. Companywide education, managing corporate security policies, and enforcing those policies are required to protect essential assets in today’s tech environment.
Understanding Scammer’s Goals:
- Collect personal or business information to exploit data for money.
- Upload malware or ransomware to your device(s) to encrypt or destroy data.
- Impersonate a trusted contact to steal login information.
How to spot phishing emails?
- Senders name is vague, or email address doesn’t truly match the contact.
- For example – Tech Department at firstname.lastname@example.org This is not a real email, but it looks like it if you are not paying attention.
- Email subject line is an attention grabber or call to action.
- An offer or discount is given but only if you click on the link/button/etc.
- The email requests personal information, banking information or login information.
- The email urges you to click on a link or attachment to proceed.
- If you hover over any links (before you click on them) and the URL of the link doesn’t match the description of the link, it might be leading you to a phishing site.
Remember, all it takes is for you or another employee to click on the link or attachment, enter information and/or fall for a fake corporate email address/signature/branded message. It may seem innocent enough, but it can impact your business for weeks, months, maybe even years.
What can you do to avoid being phished?
- No reputable company will ever ask you to provide your personal or business data via email, or over the phone. They will want to verify your identity in other safe ways.
- Setup multi-factor authentication for all your accounts, so that you are forced to verify it is you using your login.
- Do not visit websites you do not know or are not setup to use https:// or shows a lock in front of the URL.
- If Google/Chrome flag a site as compromised do not visit it.
- Do not reply to any messages that you do not know the person.
- Look closely at the senders’ email address.
- Do not open attachments or click on links from unexpected or planned emails.
- When in doubt, call the business, using the main phone number on their website and verify that they contacted you per the email you have. Do not use the contact info in the email itself.
For helpful information:
- Learn more from the FTC on how to identify and respond to phishing emails.
- Learn more from Avast on how to protect against an email hack.
- Learn more from Google on how to address phishing on Gmail.
IMPORTANT!: Anti-Virus and Anti-Malware – There has never been a more important time to make sure that you have these software fortresses updated on your devices. Yes, devices, you should have anti-virus on your computer, phone, tablet, etc. There are several options available, research and choose the best option for your needs. Here are the best in 2020, per PC World (includes reviews).
If you need more information, help with training, or if this unfortunate situation takes place in your business, please contact ISOCNET so we can assist you.