Imagine one of your customer service representatives takes a call from somebody claiming to be the CEO of an important client. The caller is looking for detailed information about their account with you, but they don’t have a lot of time and insist that your customer service representative ignore account verification procedures.
The customer service representative knows they should follow procedures, but they also know this is an important client and they want to be helpful in a tense situation. Your representative provides the requested information without verifying the caller’s credentials. Of course, the caller wasn’t who they claimed to be and you just suffered a phishing attack and serious data breach.
Phishing is most often associated with fraudulent emails and websites that imitate real people and services, tricking recipients into providing personal information, login credentials or payment details. However, phishing attacks aren’t exclusively online. A criminal can misrepresent themselves over the phone, as described above, or even in person in an attempt to gain access to secure areas and information.
While hacking methods like ransomware and denial of service attacks make the biggest headlines in the news, phishing has been around since the early years of the internet and still succeeds because it preys on people’s willingness to trust things they’re familiar with.
As described in the above example, even a business with existing security procedures in place could fall victim to a phishing attack if all employees don’t remain vigilant. Here are some ways to help protect your business against getting hooked.
When it comes to large, general phishing attacks, word gets around pretty quickly on what companies are being impersonated and what scammers are asking for. That’s the nature of targeting hundreds of thousands of email addresses at a time. While basic phishing scams might not make as many headlines as a big ransomware attack or data breach, they are still dangerous. Make sure your IT department is up to date on the latest phishing scams and communicates to employees what to watch for.
Follow existing procedures
If your employees aren’t supposed to give out information without verifying somebody’s identity, whether by phone, email or in person, they need to follow that procedure regardless of the situation. Crafty phishers might even be able to find the information to answer simple verification questions online. If your employees aren’t comfortable with a situation despite following procedures, they should contact a supervisor.
Double check the email address
If your own CEO sends you an email asking you to perform a task, you’re probably going to do it as quickly as possible, right? That’s how whaling exploits its victims. Whaling is much more sophisticated and targeted than general phishing because scammers can impersonate a CEO of either your business or another while trying to achieve their goals.
An Australian company was out $500,000 because employees forwarded emails to an overseas bank account without realizing that the person claiming to be their own CEO was lying. Always double check who is sending you an email, especially if they’re asking for something out of the ordinary.
Emails are the most common form of phishing since they can easily be made to look like an official correspondence. As such, if you think an email is authentic, you probably won’t hesitate to click any link in the email. DON’T DO IT! When you receive emails from outside your company, double check where the link will lead you before you click it. Does the web address misspell the company name, lack the HTTPS prefix or otherwise look suspicious? Does the domain match the website you think you’re being directed to? Don’t click something that looks suspicious.
Firewalls, anti-virus software, and anti-phishing tools are all great roadblocks, but a successful phishing attack can still come down to how one of your employees reacts to a suspicious message or call. How do you train your employees to avoid malicious cyber attacks?