How To Protect your Company from Phishing scams

As the world relies more and more on digital technologies, the need to protect your personal and business data becomes more and more crucial.  Criminals have become increasingly sophisticated in their methods of attacking your online presence and belongings, so it’s vital to stay up-to-date on how to combat these schemes.

One of the most common methods that criminals and scammers will use to gain access to your data is through a process called ‘phishing’.

What is ‘phishing’?

A phishing scam is where the criminal will pose as an innocent or reputable entity in order to fraudulently gain access to your information, including:

  • Name and dates of birth

  • Social security numbers

  • Bank information (including account and routing numbers, PINs, etc)

  • Credit card numbers

  • Login information and passwords

  • Remote access information for your personal computer

There are several examples of phishing across multiple angles of attack, and this article cannot possibly be all-inclusive.  When in doubt, do some digging to make sure the request is legitimate, and contact your IT support staff if you’re unsure.

Examples of phishing attempts include:

  • Pop-up messages claiming your computer is infected with a virus.  This usually leads to a page containing a software ‘fix’ that is either a) malware or b) still bogus, but requires a payment to receive.

  • Phone calls from companies insisting something is wrong with your network. Scammers will typically request remote access to your systems.

  • Emails claiming to be from your bank requesting that you ‘verify’ account or login information. These emails can contain graphics and branding that look legitimate, but any links will lead to unusual or unexpected websites.

  • Phone calls claiming to be from law enforcement, asking for money to bail out a loved one from jail, or claiming the IRS has filed suit against you for back taxes.  NOTE: The IRS will never call you in this fashion.

  • Emails from a loved one or known acquaintance (whose email has been compromised) directing you to unknown websites or requesting information.

The bottom line is this:  The scammer will pose as a legitimate entity or authority and request sensitive information, so always be sure you give information ONLY to trusted sources.

Social engineering

So why do phishing scams work?

These days, data encryption is extremely secure - attempts to brute-force encryption keys could take months if not years of computing time, which is not worth it to a scammer.

The weak link in any digital security system is the user: in other words, you.  Scammers will attempt to prey upon personal tendencies and behaviors to gain access to vital information.  Below are a few examples of social engineering avenues of attack.

  • Passwords - A truly random password is nearly impossible to break with generally available equipment… but few passwords are truly random.  Most users will (against the advice of their IT staff) use common words and phrases as passwords.

    Birthdays, pet names, street addresses, etc. are all easy to remember, yet any scammer who does a bit of digging (especially if your social media accounts are open to the public) may be able to guess these passwords without much effort.

  • Helpfulness - Most people in a professional setting, when confronted by a person in distress, will feel inclined to do what they can to help.  While this is a good and noble thing, make sure the person you’re talking with is authorized to view or obtain sensitive information.  

    Many scammers (especially at larger companies) may pose as a fellow employee or supervisor in order to use feelings of camaraderie or desire to please one’s boss in order to request sensitive materials.  Scammers may also send a ‘sob story’ as to why they need assistance, in order to prey upon emotional response.

  • Fear - At the end of the day, the scammers are criminals who aren’t above using fear and intimidation to attempt to scare information out of their victims.  Fear tactics can range from suggestions that your data security has been breached (as in fake malware-infection pop-ups) to posing as law enforcement threatening legal action.  

    The goal is simple: most people will not be thinking clearly when put under such a stressful situation and will readily do what it takes to make the problem go away.  The scammer is counting on this - it is crucial to maintain a clear head and think things through in order to avoid giving away sensitive information. If a caller is insistent that the issue be addressed immediately, without giving you a chance to think or consult an expert, this is an excellent indicator that the call is a scam.

What to do

Overall this all may seem a bit intimidating.  But remember that in most cases a criminal’s best line of attack is through you and your employees, not through your systems themselves.  There are a number of simple steps that can be taken which can mitigate this threat.

  • Set strong passwords - There are plenty of ways to create secure passwords that are also easy to remember.  In any case, good passwords should be long, and contain a mix of upper-and lower-case letters, numbers, and special characters (such as #,@,%,(, etc).

  • Be cautious - You may want to do whatever it takes to help someone out, or to make a process go smoothly.  However, it is vital that you ensure anyone who receives your information is trustworthy. It is worth your while to verify someone’s identity and authorization to receive sensitive material before handing anything over.

  • Slow down and think things through - If you happen to be confronted with a phone call, email, or other unexpected issue that demands your immediate attention, do not act rashly.  Scammers rely on immediate emotional feelings of pity, fear, and anxiety to trick you into making bad decisions. If you show reluctance or insist on taking time to make decisions, oftentimes this will cause the scammer to give up on you and go after other, more vulnerable prey.

  • Consult trusted experts - In the case of supposed systems security breach or email issue, contact your trusted IT staff to help.  They will be able to help verify whether the issue is real or not, and to take necessary steps. If a communication allegedly comes from a co-worker or supervisor, ask them.  In cases of blatant intimidation or threats, law enforcement may need to get involved.

  • Enable two-factor authentication - As an additional security step, we also recommend two-factor authentication for any critical logins such as company email.  Two-factor authentication adds an extra level of security by requiring a second code or password on login. Most often this will be a code sent to a smartphone or other personal device.  This means that, even if a scammer does gain access to your email password, they cannot access the account without also having the second device.

Phishing and cybersecurity are deep topics which are difficult to cover in the space of one article.  Fortunately, several technical and security sites regularly explain and update their guidelines as the methods of these attacks evolve.  For more information on how to protect yourself from these threats, check out these pages from Norton, ZDNet, and Phishing.org. For a deeper look into the mechanics of social engineering, CSOOnline has a great article which can be found here.  As always, drop us a line if you have any questions specific to your facility’s needs.