Phishing schemes send duplicitous emails to businesses in an attempt to infect computers with malware. They’re successful when an employee clicks a suspect link/attachment, or gets tricked into giving up financial information.
When it comes to data security, phishing threats get less attention than more “active” malware attacks—And that’s too bad, because today’s phishing schemes are deadlier than ever.
They’re so good that even tech experts get fooled.
A successful phishing attack could cost your company anywhere from thousands to millions of dollars. Protect your business—Here are eight tactics to put in place.
Studies reveal that employees fall for phishing scams because they’re trained to always be “nice.” As a result, they comply with email requests from “clients” without any question. Experts advise taking a suspicious approach to all emails. If an email message “feels wrong, listen to your gut.” Train your employees to follow their instincts when it comes to suspect emails.
You should always carefully examine all email addresses and URLs. With phishing emails, they tend to be a bit “off.” The URL won’t match the directions given in the message, or it won’t be the real web address, rather a similar one. The same is true of email addresses, and company logos, watermarks, and signoffs. If you simply glance at this information, you may be fooled. If you take closer look, you’ll realize it’s a counterfeit. Train employees what to look for if they come across an unexpected email, and to always pay attention to the details.
Phishing scams can be very subtle. Advanced phishing attempts may take over email clients to send messages from what appear to be very reputable sources. This is why it’s essential to stop and think before taking action—especially when money or sensitive information is involved.
Train your employees to examine the message. Is it unusual? Is it unexpected given what they know about the project or client? If they get a message that says, “Wire $5,000 right away for patent rights or we will lose this market,” this should raise warning bells—Why didn’t this person make a call or explain this in person? Any emails that focus on a disaster or emergency like this should be immediately suspected.
Don’t recognize who the email is from? Then don’t do anything. This policy protects employees from phishing emails that get through your spam filters. If the email is from an address they don’t recognize, they should ignore the message. If necessary, they should forward it to the appropriate account manager and ask if it’s legitimate. It’s always worth taking a little extra time to confirm messages, rather than falling for a phishing scheme.
It’s amazing how many people don’t do this, even with extraordinary requests. Successful phishing emails depend on you not calling the sender and asking what’s going on. Calling the sender can destroy the most careful phishing attempts. (At the highest level, phishing may include fake phone numbers or rerouting, but this is quite rare.)
To get around this, phishers may include a message that says, “I will be out of the office today, but this request requires your immediate attention. Please don’t try to contact me, just download/click link/send money/ or (do some other stupid thing).” If you see a message like this, the first thing you and your employees should do is pick up the phone and call, especially when important data is involved.
Phishing schemes vary between industries (based on how much money can be conned out of particular businesses). Research the phishing schemes trending in your industry, and what warning signs to look for. A variety of services offer intelligence reports for this very purpose. You can also visit security zines and forums that focus on your industry. These are typically updated with the latest cyberattacks.
Eventually, companies reach a size where trusting employees to avoid phishing attacks becomes very difficult. It’s important to use strong firewalls and updated security filters to block access to any dangerous or illegitimate sites (the same goes for downloads, etc.). This is essential to mitigate damage once phishing emails are opened. Phishing scams can’t hurt your business if they can’t upload malware.
Email authentication standards are improving all the time. They provide an excellent way for companies to stop spoofing attempts both to and from your organization. Basically, it authenticates senders and makes sure that an email really did come from that sender. This tactic also makes it more difficult to spoof emails from your company. The current standard is DMARC (Domain-based Message Authentication, Report and Conformance). So, if your business is a target of phishing scams, look into adopting this standard for added protection.
An issue worth noting is that DMARC is relatively new and underused. It may not be compatible with all software and services. So, this is the time for a serious consultation with your IT experts to discuss implementing authentication. The process is highly effective, and worth your time.