Phishing is becoming a more apparent problem as time progresses. Maybe you've received these types of emails at work or via your personal email address. In this article, we hope to teach you why all employees should be skeptical of emails they recieve.
What is phishing again? Phishing is the fraudulent practice of sending emails that look like they're from reputable companies in order to try to convince an individual to reveal personal information (for example, passwords, credit card numbers, etc.)
In 2017, phishing accounted for 71% of all targeted cyber attacks. Even though this type of cyber attack is one of the oldest tricks in the book that a cyber criminal can use, it's still one of the easiest ways to get access into a company system. Most of the time, more experience cyber attackers launch a more sophisticated phishing campaign that very few people would be able to detect.
If the cyber attacker successfully phishes an employee, it could provide access to the organization's entire network of resources all over. Also, a successful phishing attack might even give access to the company's financial and intellectual property data.
According to ZDNet, “hackers are launching cyber-attacks against companies in the pharmaceutical sector more than any other, and campaigns against firms who make drugs have more than doubled in the last year.” It doesn't matter what industry your company is in, there are ways that you can keep yourself, your company, and your employees safe.
Train Employees To Be Skeptical
Being skeptical is a trait that IT professionals should build into the minds of any employees; so it becomes second nature to an individual's work ethic. This is due to changing habits that may be harmful to themselves and the organization, and once this happens, they will develop secure habits.
As a MSP, we like to remind all of our clients, and even our employees, that this is how you live and work. Each of us have forms of devices in our hands, pockets and bags; what we do in our personal life might have a negative effect on our work if we don't monitor our emails carefully. Both of our lives - personal and work - are connected by the variety of devices we use each day, and the way we look after our emails - personal and work - tend to be the same.
It's scary to think but, in the future it is going to become more difficult to detect the common clues that help to identify phishing emails. Once a cyber criminal is able to gain access to an individual's inbox, they learn more about the person. This includes the topics they like/are interested in, the accounts they have (ex, banking emails, online shopping accounts, etc.), as well as they people they communicate with. The attacker can then build phishing tactics that are hard to detect - unless this person is trained to be a skeptic. Cyber attackers can also begin to plan attacks in other networks as it becomes a lateral movement that is simple once they have access.
For those employees that have 10+ years of experience, it can be harder to convince them to change their habits to be more skeptical. This is probably due to the fact that smartphones aren't that much older than that and have only become a necessity in business in the last few years.
Change Behaviors, Not Just Minds
Becoming skeptical is both a shift in lifestyle and mindset; it also needs to be a conscious effort. The decision to become more skeptical should involve changing habits around consuming, accessing and exchanging information - including what people seek and how they get it.
When our techs speak to clients about this issue, we recommend 7 guidelines:
- Stay informed of new phishing techniques that cyber attackers are utilizing - our IT techs will help with this guideline.
- Understand what email address and domain an email comes from, as well and know that any email address can be spoofed.
- Before you or an employee clicks a link, make sure to hover over it to see the underlying link against its description to see if it makes sense.
- Make sure to pay attention to emails that require quick action and a big reward. Cyber attackers that target specific organizations may do so when they know a boss/owner will be inaccessible (ex, during a flight). They could access this information from social media.
- Be especially careful when you are asked to provide personal information anywhere online. Make sure to provide the absolute minimum information when using online services (for example, banking, online purchases, etc.).
- Use third-party tools to protect all passwords and logins. Also, use these tools to detect phishing sites. Make sure that your browsers are up to date as well.
- Ensure that your physical location where information is accessed is secure and safe - public locations aren't fully protected.
How Does Your Personal Life Factors In?
Make sure that you are extremely aware of your social media activity. Lots of information can be gathered via social media. Even when you make sure you're careful not to post much information, family members may be doing so for you by sharing details of family vacations or your regular weekly routines.
Cyber criminals can be very patient. They don't mind sitting in the background and learning about how organizations and individuals/families operate. For example, they could hack and spend time in your significant other's account to see the types of conversations you have. After doing so, they could reconstruct a similar email in the same language they use and include a link for you to click. This then gives the hacker access to a work account and move through the company they work at from there.
Employees that are internal should understand that the messages that come from outside the company domain are tagged as being external. IT technicians should make sure to set reminders for themselves to change the colour, font, or even the overall look of the external note every money. This was it isn't missed by employees - if this isn't changed, it could be disregarded.
Phishing attacks will always be present, plus they'll always get more difficult to realize as technology progresses. The best advice we can give is to never second-guess a decision that you make. Anything that comes into your inbox should not automatically considered safe. If the email doesn't make sense, be skeptical.
Hopefully this article has helped you on why it is important to be a skeptic and what you can do for your organization to be safer.
Zahreddine, Mohamad. (2019). Phishing: Why We Should Teach Employees To Be Skeptics. Retrieved January 17, 2019 from, https://www.forbes.com/sites/forbestechcouncil/2019/01/07/phishing-why-we-should-teach-employees-to-be-skeptics/#434239dc732a