Too many businesses are making headlines for all the wrong reasons. Data breaches are on the rise. Every week it seems as though another organization is announcing that its systems have been compromised and its customers’ sensitive information is at risk. All too often, these data breaches are caused by an employee falling prey to a phishing scam.
Historically, the largest IT security concerns were attacks from the outside. These days, though, hackers are turning to employees to open the door to a business’ network and important data through both simple and sophisticated phishing scams. In fact, Verizon’s 2019 Data Breach Investigations Report found that 32% of data breaches involved phishing.
What does a phishing email scam look like?
Cybercriminals use phishing emails to gain access to sensitive data or a business network by targeting employees.
Phishing emails often appear to be from an authentic source. A familiar display name, such as a business or colleague, may mask a fraudulent email address. The email message may convey urgency or importance to pressure the recipient to act quickly without taking the time to examine the credibility of the email itself. The following are all possible signs of a scam:
Unfamiliar email domain
Lack of salutations
Suspicious link or attachment
A new type of phishing emails is also on the rise. Unlike traditional phishing emails, which are sent in mass to a group of people and lack personalization, spear-phishing emails are personalized attacks on a single recipient. This type of phishing email appears to be a friend, associate, or boss and personally addresses the recipient with a message that contains information that presumably only this person would know or request. What employees don’t realize, though, is that social media and internet profiles often give hackers access to this information about them.
How does a phishing scam work?
There are two main ways phishing scams attempt to breach data.
1. Information Collection – phishing email includes a link to a spoofed website that requests the recipient to share personal or confidential information, such as passwords or financial details.
2. Downloadable Malware – phishing email includes an attachment or link, which installs malware onto the user’s device when downloaded. This malware can go unnoticed for months before the hacker carries out their malicious intent or they may immediately take over the system and demand a ransom for restoration.
A common phishing scam appears to come from a financial institution and requests the recipient verifies their banking information due to a recent change. The hackers can then use this information to take money directly from the business.
In a recent scam, phishing emails impersonating the Kentucky State Attorney’s office warned victims that they had 10 days to file a rebuttal. Once the recipient clicked the link in the email, a virus is downloaded which disables the device and demands money to restore it. Attorney General Andy Beshear warned Kentucky residents and businesses that this email was not from the Kentucky Office of the Attorney General and any suspicious emails should be reported to avoid data and financial loss.
How to reduce the risk of a phishing scam on your business
The key defense against phishing is employee education. It is important that your employees are educated on how hackers approach them and how to avoid falling prey through phishing, malware, social engineering, or bad surfing habits.
Simply having policies on data sharing and password management are not enough to protect your business. Employees should be active participants in protecting your business on the front lines – their inboxes. The following are just some of the steps your employees should take to avoid falling prey to a phishing scam:
Even if the email seems urgent or important, take time to verify that the “From” email address is legitimate and trustworthy. Also review the message for grammar mistakes or typos, which can be a common sign of a phishing attack.
Use your common sense. If something seems too good to be true, such as “winning a prize,” or out of the ordinary, such as your bank asking you to verify information unexpectedly, then chances are it’s a scam. Trust your gut, if a link or attachment seems suspicious it’s better to verify their legitimacy before clicking or downloading.
If you think you’ve received a phishing email, always report it to a supervisor or IT. If the suspicious email appears to be from a business vendor or financial institution, contact them through your normal means of communication to verify the request.
At ABS, we specialize in training your employees to recognize phishing scams and to be vigilant protectors of your business’ data and network. We also utilize tools to test your employees’ susceptibility to falling prey to a phishing scam. Through our security awareness tool, we can simulate phishing attaches to determine who on your team is most likely to click, download, or share information in a phishing email. Over time we can measure the improvement of your business’ phishing security and pinpoint employees or areas where further training is needed.
Protect your business against phishing scams and detrimental data breaches by starting a conversation with our security experts today. Our team will walk you through the next steps towards educating your employees and testing the email security practices of your organization.
Talk to us today and Get Help Now!