The people who create phishing scams are usually skilled at making their emails appear legitimate. The correspondence looks as though it comes from a trustworthy source; such as a bank, a well-known company, even another department within a large organization.
These emails are usually intended to dupe the reader into clicking on a malicious, embedded link. Even more alarming, the more sophisticated phishing emails execute hidden code the instant user opens the email on his or her computer.
How to Spot a Phishing Scam
Some of the most common phishing techniques include:
- Embedding a link in an email that redirects the reader to an unsecure website which requests sensitive information
- Using a malicious email attachment or advertisement to install hidden code, called a Trojan, which will allow the attacker to obtain and record sensitive data
- Spoofing the sender address in an email to appear as a known or otherwise reputable source and request sensitive information such as user names and passwords
- Contacting employees by phone and attempting to gain information by impersonating a known company vendor or customer, or another department within the organization
Knowing what to look for is your company’s first line of defense against attempts at data theft.
Common Mistakes That Can Leave a Company Vulnerable to Phishing Attacks
Thankfully, some of the most common mistakes are also the most easily prevented. Avoiding them will greatly reduce the likelihood that your company’s data will fall into the wrong hands.
Phishing security mistake #1: Not having the right tools in place.
Your employees possess knowledge and credentials critical to your company’s data security. Phishing scams are often the easiest way an intruder can gain access to protected data. Once a phisher gains the trust of even a single employee within an organization, all its sensitive data is vulnerable to theft or attack.
Several of the most high-profile recent security breaches began with a successful phishing campaign. This includes the recent data thefts involving Sony and Target. In the instance of Target’s security breach, data was obtained through a third party—the company entrusted with processing customers’ payments. This illustrates how a single data breach can have a ripple effect throughout multiple companies that do business together.
Thankfully, there are many tools available to help protect your sensitive data. The one that suits a company best depends on a number of factors, including the size of the company and the type of data it handles.
Phishing security mistake #2: Not properly training employees in email security procedures.
No security tools are of much use if the employees who have access to sensitive data aren’t trained in their use, as well as in general Internet safety practices. Companies need to ensure their staff understands the risks of:
- Opening email attachments
- Clicking unfamiliar links
- Opening emails from unknown or untrusted sources
An effective security education program should also include instruction on how to spot email spoofing. Spoofing is the practice of forging an email header or address so that it appears to come from a legitimate source.
Phishing security mistake #3: Careless Internet browsing.
Many organizations fall victim to phishing attacks due to careless or naive internet browsing. Make certain employees only use trusted web browsers and that you are updating your browsers regularly.
Employing a blocker that prevents employees from accessing unsecure websites will greatly reduce your company’s chance of having its security compromised. Additionally, training all employees on secure Internet browsing is a crucial part of any organization’s defenses.
Steps a Company Can Take to Protect Against Phishing
Defending against these attacks requires a multi-level, layered approach to Internet security. In addition to avoiding common mistakes, there are several ways to further protect your company’s sensitive data. Using them in conjunction with one another is the best way to ensure your business data remains secure.
- Keep all systems up-to-date with the latest updates and security patches
- Ensure your email program uses a spam filter that detects viruses, blank senders, and other red flags, preventing many fraudulent emails from ever reaching an employee’s inbox
- Install and monitor anti-virus/anti-malware solutions on all equipment
- Educate your employees about the methods phishers employ
- Conduct ongoing training sessions with mock phishing scenarios
- Develop and enforce a security policy that includes guidelines on password complexity
- Enforce a policy that passwords be changed periodically—every 90 days is an ideal frequency
- Require encryption for employees who work remotely
- Block malicious websites using a web filter
- Encrypt all sensitive company data
- Consider converting HTML email into text-only email messages or disabling HTML email messages entirely
Whatever steps you take to protect your data, it’s important to continually update your software and procedures. Keeping up with current phishing strategies is crucial in order to eliminate threats as they evolve. It is equally vital to ensure your employees have the knowledge to spot attacks and the skills to know how to address them.
Don’t let your sensitive data fall into the wrong hands. We can help.
Phishing attacks can be difficult to shield against. Thankfully, with the right combination of software, hardware and security procedures, you can be certain your data remains secure. Give us a call at 503-640-5100 or contact us online. We’ll work with you to provide a comprehensive Internet security strategy for your organization.