By all accounts, phishing attacks are the favorite tool of hackers. Phishing is the internet equivalent of throwing bait out and waiting for someone to bite. Phishing attacks can be utilized to gather protected information like bank accounts, dates of birth, passwords and social security numbers, or to deliver malware and viruses to your device. Learning how to identify and respond to phishing attacks will help you and your employees protect your data, your profits and your productivity.
Here are 3 ways to avoid phishing attacks to yourself and your business.
1. Knowledge is Power
Educate your employees and yourself.
Trained employees can identify threats and avoid clicking on dangerous links. Employees must know why and how hackers access their data. Training on the latest hacker techniques arms your employees with the tools to defend your data.
Phishing emails are often topical. At the time of this blog, COVID-19 dominates the headlines worldwide. Hackers have responded with phishing emails about stimulus checks, how to prevent or cure the virus, offers for relevant items and charities requesting donations on behalf of victims. Additionally, they have sent emails spoofing the World Health Organization (WHO) and Centers for Disease Control (CDC).
Phishing scams also rely on hot-button issues like political trigger points. They might provide topics such as “Trump Locks Up Hillary” or “Trump’s Tax Returns Released.” They could promise sensational riches such as “Click here to learn how we made millions while working from home.” They could entice using the sex sells method: “Taylor Swift laptop hacked. Click here to see her sex tape.” Additionally, hackers often impersonate well known and trusted entities such as Amazon (like the pictured example below), Microsoft, UPS, FedEx and common banking institutions.
In addition to training, you should test your employees with phishing simulators. All it takes is one employee. You should know who in your organization is the weakest link, and help strengthen them.
The right cyber-security training can benefit anyone in both their personal and professional lives.
2. No Target Too Small
Don’t assume you’re a small target. Unlike actual fishing, hackers don’t care how small their catch is. Your data has a value. Small businesses and individuals that believe they are too small are playing right into the hands of the hackers.
For a moment, imagine that you logged into your computer this morning and found all your sensitive data encrypted. A few minutes later, you receive an email demanding money for the encryption key to get your data back. How much is that worth to you? How much will you pay? Normally, hackers will only give you a limited amount of time to respond before the price rises or other consequences occur.
In addition to the threat of losing your data, ransomware hackers in recent weeks have started threatening to release stolen data to friends of the victim or the public. Consequently, this has added an additional urgency to the decision to pay a ransom.
Ask yourself what data do you have in your computer that you are willing to lose?
- Wedding photos? Photos of the birth of your baby?
- Private selfies?
- A medical history form you completed for your doctor?
- Drug use?
- Sexual history, or orientation?
- Prior criminal record?
- Your viewing history?
- Pictures of family members that have died?
Hackers don’t care how small your business is. They know the value of your data. Therefore, you should too.
3. Don’t click or forward
If you or an employee suspects an email or message is “phishy,” don’t click any links (including the unsubscribe button) or open any attachments. If necessary, look up the phone number of the sender and contact them to verify that the email is valid. Also, don’t forward the email to a co-worker to ask for their opinion. Finally, don’t reply to hackers. Hackers will attempt to convince you that their email is valid.
Conversely, when notified after an employee has already clicked on a link or opened an attachment, contact your IT provider and notify them immediately. In many cases, malware hides to spread to other devices in the network. The faster an IT person can investigate and abate the threat, the more likely they can prevent further damage.
As a side note, C-Level Administrators, please be patient with employees that report clicks. Phishing attacks are getting much more difficult to spot since the days of the “Nigerian Prince” emails. Making timely notifications to supervisors and IT personnel should be considered a positive response.
In conclusion, Phishing emails are the most common forms of attack. Approximately 90% of phishing attacks arrive via email. Having a spam filter can reduce the amount of emails that have to be evaluated by employees and subsequently reduce risk.
Finally, backup your data. Employees make mistakes every day. Having the ability to recover quickly from an attack is invaluable. If your cyber-security budget is limited, start with backup.