Today, 90% of all data breaches are the result of a phishing attack. A recent study by Google revealed that phishing attacks are the main cause of compromised online accounts. The study was conducted over a one-year period from March 2016 to March 2017. During this time, 1.9 billion user accounts were exposed due to phishing and data breaches.
What is phishing?
Phishing is a fraudulent act in which a scammer steals private and sensitive information such as credit card numbers, account usernames, and passwords. The criminal uses a complex set of social engineering and computer programming strategies to lure email recipients and Web visitors into believing that a spoofed website is legitimate. The phishing victim later realizes that their personal identity and other confidential data was stolen.
How does the scammer succeed?
Phishing succeeds when a cybercriminal uses fraudulent emails or texts, and counterfeit websites to get you to share your personal or business information like your login passwords, Social Security Number or account numbers. They do this to rob you of your identity and steal your money.
Phishing emails are typically crafted to deliver a sense of urgency and importance. The message within these emails often appears to be from the government, a bank or a major corporation and can include realistic-looking logos and branding.
The scammer will typically insist that you click on a link in an email or reply with confidential information to verify an account. They may also attempt to install ransomware on your computer that will lock you out of your files until you pay a fee.
Why do people follow their instructions?
Scammers present themselves as trusted individuals by pretending to be an authority figure in your business, the government, or even friends or family members. They may try to trick you into believing they’re from the IRS and urge that your bank account will be frozen unless you provide confidential information.
How do you protect your business from phishing?
The best way to defend your business is to train your employees to recognize phishing emails so that they don’t click on them. You should do this with ongoing Security Awareness Training conducted by a professional IT Managed Services Provider (MSP).
Ensure that all new employees receive this training as a part of their orientation and that everyone receives further training twice a year, so they’re informed about the latest phishing threats
So you plan to schedule Security Awareness Training for your employees – but what can you do in the meantime?
Be sure that your employees scrutinize all emails and text messages by doing the following:
Be wary of malicious attachments in email messages. They may contain malware that can infect their computer.
Check to see who the real sender of the message is. The company name in the “From” field should match the address. Also, watch for addresses that contain typographical errors like “firstname.lastname@example.org.”
Look closely at the salutation in the message. If they spell their name wrong or use an impersonal greeting like, “Dear Ma’am” this could be a phishing attempt.
Hover over the URL in the email to view the full address. If you don’t recognize it, or if all the URLs in the email are the same, this is probably a phishing threat. Also, make sure that you and your employees know that all reputable URLs now start with https rather than http.
Check the footer in the message. It should include both the physical address of the sender and an unsubscribe button.
If a user isn’t sure if the company in the email is legitimate, they should call the number that they know is correct (not the one in the email) and ask a customer representative about the request in the email.
Make sure your employees are using Two-Factor Authentication whenever possible. This requires an additional piece of information (a code or token) that’s generated and sent to their phone or email address. They must use the code or token to log in to the account, which will protect the account even if their password was stolen.
Tell them not to click on any links, attachments or phone numbers in emails or text messages. These may contain a virus or be redirected to a fake website where a virus is downloaded. If they want to visit a site, they should key in the web address or phone number that they know is legitimate.
If there’s any doubt, they should just delete the message. If the message was from a genuine source, they will try to contact them another way.
What else can you do to protect your confidential business information?
Always back up your files to an external hard drive or cloud storage. It’s best to use a comprehensive solution with remote, offsite backup and data recovery services to ensure your business information is safe no matter what. Your MSP can provide this for you.
Also be sure to keep your security solutions up to date. Ask your IT MSP about Email and Spam Protection, which offers:
Anti-Spam, Anti-Virus and Anti-Malware solutions that scan incoming mail, and block spam, malware, and phishing attempts.
Firewall Management that determines if an address that’s trying to connect to your computer is one you can trust. If not, it denies access.
Outbound Mail Scanning so if one of your computers is infected with a virus, your outgoing mail services aren’t compromised. This is important because it will keep your company off spam lists and blacklist
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.