High-profile hacking attacks might dominate the headlines, but one of the biggest risks to your security isn’t software vulnerabilities or malware—it’s phishing attacks. There were more than 1.2 million phishing attacks last year alone, up 65 percent over 2015, according to the Anti-Phishing Working Group (APWG).
Phishing attacks usually come in the form of a fake email that appears to be from a legitimate source, such as your bank, employer or a website you use frequently. The idea is to get you to hand over the keys to your accounts by prompting you to type your login details and password into a fake website front. Victims click the link in an email and get taken to a website that looks just like the real thing, but in reality, it has been created to steal information.
Because phishing attacks target people using sophisticated techniques designed to fool, no business is immune to them. Remember, your cybersecurity is only as strong as the weakest link—your employees. Let’s run through a few important rules that will safeguard you and your business from phishing attacks.
1. Verify requests for sensitive data
If you get an email request for sensitive data, don’t immediately tap reply and hand away access to your account. Make sure it really is a legitimate request from Sharon in accounting or that your supplier needs updated bank details. A quick phone call can save you from a serious data breach. If you insist on emailing, then don’t reply, type the email address in yourself or use your address book.
2. Type URLs or use your own bookmarks
Phishing scams often come in the form of links in emails that appear to be sent from people you know and trust. What looks like another funny cat video from the office joker may, in fact, be directing you to unknowingly download malware. Sometimes the email will be a request to update your login details with a link to what appears to be a legitimate company website. You can avoid this kind of scam by always typing the URL into the address bar of your browser yourself or using your own bookmark if you have one. Never click on links in emails.
3. Monitor company account access
The IT department should be keeping an eye on company account access. Make sure old accounts are deleted and permissions are appropriate. It’s a good idea to employ tools that analyze user behavior and flag any suspicious logins or data requests.
4. Be careful about opening attachments
If you don’t recognize who an email is from, then don’t open any attachments. They can contain malware that will install itself. Even if you do recognize the sender, it’s worth subjecting the email to greater scrutiny if it has an attachment. You should have security in place that automatically scans and removes suspicious attachments.
5. Make sure websites are secure
Check that any secure websites you visit really are secure before you submit any sensitive data. Take a look in the address bar of your browser; you should see “https://” at the start instead of “http://”, where the S stands for security. There should also be a lock icon that you can hover over to see the level of encryption.
6. Keep security software on and up to date
Any request to disable your firewall or antivirus defenses should be treated with serious skepticism. Security software should be running at all times and be kept fully updated. Make sure you comply with the IT department’s requests and never disable your security software.
7. Report suspicious emails
If you do get something that looks like a phishing attack, report it. You can forward emails to your security officer or IT department. Many companies and services also have email addresses specifically for suspected phishing emails, and they’ll confirm whether an email is legitimate or not. If in doubt, it’s always best to ask your IT department.
Make sure you and your employees are familiar with these tips, and you can avoid being hooked by phishing scams.