We have written at length about the Human Firewall and how it can either be your business’ greatest defense or largest liability. So much of the human firewall’s strength depends upon how well employees are trained and empowered to respond to suspicious activity in their network. Let’s dig deeper on one maneuver that cybercriminals will use to infiltrate your company, one that has existed since the dawn of e-mail: phishing.
Phishing is a cyber attack that has been around since the 1990s and has only grown in frequency and sophistication. These con artists aim to trick the email recipient into believing that they can be of great help in providing information to a supposed government entity or company with whom they often do business. The message masquerades as originating from their bank or even from someone within their own company. If the recipient would only just click on a link or download the attached file....
We all know where this leads. Your personal e-mail has no doubt received its fair share of scams. When they infiltrate business e-mail accounts, though, the stakes are higher since well-intentioned employees can give away classified business information to parties with nefarious intentions. The techniques used in some phishing scams are becoming so clever that the untrained employee may easily and irrevocably fall prey. If we tore a few sheets from their playbook, we’d probably find the following:
1. “The attached file is available for your review.” Using a “soft targeting” approach by personally addressing an HR manager and pointing him/her to an attached resume, phishing scam artists succeed in conning an unsuspecting employee. The verbiage may change, but the maneuver is the same. If scam artists can simply get one employee to download a file that contains malware, they may be able to access the greater business network without anyone knowing.
It has been reported that 93% of phishing attacks contain encryption ransomware. Rather than attempt to recover files under ransom in other ways that may be more time-consuming, companies may agree to pay a ransom (say, $1000) to get their files back. The ransom may not represent a great expense in the big picture, but by training employees who would be likely targets, having to pay a ransom can be easily avoided.
2. “Click on the link below to access this form for your convenience.” Cyberattacker's can create copycat websites that are highly convincing, using recognizable logos and professional design. But you still have agency in the process. If something seems suspicious, rather than click on the e-mail, the U.S. Federal Trade Commission recommends, “Do your own typing...Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.”
Making employees aware of these two old phishing methods is not the end of the conversation but the beginning of one that we hope you are having with your employees often, especially if you are on-boarding new employees on a regular basis. Security is not about finding and implementing a specific solution; it is the cultivation of a a consistent, dynamic regimen to educate and fortify the company, as well as minimize the points at which a compromise can occur. We cannot eliminate all of them, but we can do our utmost to reduce their likelihood and frequency. And the first and biggest step to doing that, is to understand that security is far more about people than it is about technology.
Want to learn more about securing your company with a multi-layered approach? Download our white paper, Security in Layers.