How To Prevent Staff Phishing Scams
Updated: Jan 19
Email is a vital tool for modern business. It is the quintessential key to corporate communication and is crucial for every business. It provides affordable and simple communication for businesses of every size and without it, the business world would be a lot more difficult. With its history being so expansive in business however, it has also become a key target for vicious hackers. Especially in the light of a global pandemic where In the modern business environment accessing the internet is absolutely key. Supplying safe web access is vital to the productivity of all businesses today.
Every day, employees, staff and management are exposed to a never-ceasing wave of email spam. Even though many businesses have systems and solutions available to prevent spam, attackers are learning new ways to avoid detection and exposure in order to hook into you and your staff. A recent report by Proofpoint stated that ‘80% of the overall threat landscape is using the Coronavirus as a theme in their attacks. This includes attacks that don’t outright mention Coronavirus in the subject or body of a message but instead reference it within attachments, links or lures. Attackers are taking advantage of a once-in-a-century crisis to wreak havoc on security systems.
Phishing is not a new concept. It has been talked about at length by various tech professionals and employees alike. It has developed an infamous name for itself, simply because it is the most effective and simple way a hacker can gain access to your data. Phishing scams often consist of fraudulent emails that take on the persona of reputable companies and organisations. This can be anything from your bank, internet service provider or workmates to big enterprises such as Microsoft, Adobe or Apple. These emails usually direct you to a spoofed site or otherwise get you to divulge private information, such as your passphrase, credit card or other account information. The perpetrators then use this personal information to commit identity theft. One common kind of phishing scam comes in the form of an email saying that fraudulent activity has been detected on your account, with a request for you to “click here” to verify your information.
Below are a few examples of the techniques employed by phishers to gain access to staff accounts:
- A staff member receives an invoice detailing a minor or low-cost purchase from a well-known site. The email looks legit and has a reputable company’s logos and formatting. At the end of the email, message is a legitimate-looking link to discuss or query the pricing. Often staff don’t recall making the purchase, so there is a tendency for them to click the link and log in. After clicking, they are redirected to an imposter login page, and their password is easily captured by cybercriminals direct from the website.
- Staff receives an email from an applicant looking for a role currently advertised on your company website. Attached to the email is a file that appears to contain a CV. The tendency of staff is to open it, but this activates a malicious file that permits cybercriminals to offset malware on the local PC.
- Staff receive a marketing or promotional email that invites the recipient to enter a (realistic in appearance) survey in return for an opportunity to win a shopping voucher, iPhone, holiday or similar reward. Recipients who elect to complete the survey will be asked to supply personal information that typically would not be asked for such as their birthday, home address or credit card details.
Much like email, phishing scams have had a long-standing reputation. It has been around for years and has been constantly evolving with the times. Due to this, it can also be extremely difficult to detect as phishers don’t always make obvious grammatical errors or spelling mistakes. Some have years of experience and have perfected the art of a well-crafted email scam, much more than people associated with email scams. They do their research and may already know an employee’s name due to staff pages, and their address, so red flags may lie few and far between.
However, there are techniques to prevent staff email scams:
- Make it clear to your staff to never enter passwords to login pages that appear after a link is clicked in an email. Instead, advise staff to bookmark the official login pages of their favourite websites or type the websites directly from URLs.
- Advise everyone that if they are unsure about an attachment run it by an IT person either on-site or as a third party IT company. Also, avoid opening attachments from recipients they do not know.
- Establish an email or online expert’s address within your organisation (e.g. firstname.lastname@example.org). That gives your users a fast way to ask for information about unexpected emails and unsolicited attachments.
- Remind staff that if in doubt, do not give it out!
When it comes to your business, protecting your data is crucial. Exercising good habits and having a cohesive cyber-security plan can save precious data from falling victim to malicious attacks and data loss. If you have any concerns about your business's current security or want to learn more regarding how to protect your business, do not hesitate to talk to one of the team members at ACS.