That Smells Phishy
When most of us think about getting hacked, we think about some techie who can write impressive code launching an intricate attack on our company’s system. Although this kind of thing definitely happens, some of the most lethal forms of online attacks could be pulled off by just about anyone without a conscience. Phishing is a perfect example of this. As they take practically no real skills to pull off, these might be the most common type of attack your employees will come across. This is why you need to take steps toward ensuring your staff doesn’t fall victim to them.
What Is a Phishing Attack?
A phishing attack is a malicious tactic designed to steal someone’s identity. It is used against personal accounts, as well as the corporate kind. The latter is the most dangerous because the person deploying the attack has so much more to gain by a successful attempt. However, identity theft is never something to take lightly. People have had their money stolen and credit ruined because they fell victim to this kind of attack.
The goal of phishing is to trick someone into handing over their personal information. It has nothing to do with hacking in the literal sense. Instead, the attacker pretends to be someone the victim knows or otherwise poses as an authority figure.
An example would be acquiring a domain that is similar to that of the company someone works for. Then they use the email address from that domain to pretend they’re someone from IT who needs the person’s login information for an audit. If they’re successful, the attacker now has everything they need to cause serious problems. They can even use the victim’s email address to attack others.
Fortunately, there are some easy ways your employees can defend against these kinds of attacks, rendering them completely harmless.
Teach Your Staff about Phishing Attacks
This is where you need to start. Your employees have to understand that these attacks exist and what they look like. You must ingrain into their minds that just because they receive an email from someone they might know doesn’t mean they should hand over personal information. Any time they receive an email like this, train them to take a minute to ensure the sender is legitimate. A simple phone call could easily derail an attacker’s phishing attempt.
Contact IT When in Doubt
Along the same lines, you can always go to your IT department for help. For one thing, pretending to be from IT is one of the most preferred ways for a phishing attacker to get what they want. Once again, one phone call or an email could be enough to keep your company safe.
Sometimes, though, the attacker isn’t even asking for information. They’ll include a link in their email and instruct the receiver to click through for some made-up reason. Perhaps, they’ll say it’s for a necessary software update or that a survey has to be filled out. Your IT department will know how to safely verify this type of link or tell if it’s fraudulent and should be avoided.
Set Standards for What to Expect
Be proactive with protection by letting your staff know what to expect from legitimate emails. For example, there’s no reason an employee should ever receive an email that asks for their password, social security number, etc. Once they know this kind of thing is never going to come from inside your company, they’ll also know not to pay that kind of message any mind.
The nice thing about working at a company is that you get used to the types of emails to expect. For the most part, employees will receive emails from other employees, vendors and recognized customers. Anything outside of that should be viewed with suspicion.
Don’t Always Trust Trusted Emails
As we mentioned earlier, sometimes, a phishing attack is only just beginning when it gets its first victory. The attacker may use a legitimate email to then go get more information from others. A lot of damage can be done in a very short period of time this way, especially because even those who understand what phishing scams are may not suspect this from an email they genuinely know to be valid.
Once again, this is why you teach your staff what to look for. Even if someone knows Brenda from accounting, they have to know that she would never ask for someone’s personal information or send a link to a website outside the firewall.
Change Passwords Regularly
Someone could have been successful with their phishing attack and it would be weeks before you even knew it. Once they have accessed your email, for example, they may have plenty of information and wouldn’t want to give you a hint that something was wrong.
This is why you need your staff to change their passwords regularly. By doing so, even if someone does have access, it will be short-lived.
Phishing Attacks Can Come Over the Phone Too
Lastly, phishing attacks can work over the phone too. It’s easy to forget this when your caller ID gives you a legit number and the person on the other end seems to know what they’re talking about. Well, caller IDs can easily be manipulated and confidence is why they’re called conmen. Teach your staff to be just as suspicious about phone calls as they are about emails.
Phishing attacks are nothing to take lightly. They may seem too simple to take seriously, but there’s a reason malicious parties continue using them every year. If you’d like to put your staff to the test, try this fun game to ensure you’re not at risk.