90% of all data breaches start with a phishing attack. The motives for these attacks range from stealing credentials to access internal networks to an attacker posing as your CEO to gain W-2s for tax fraud. If you’re not familiar with how phishing scams work and how successful they are without proper training, then you are putting your Business and employees at risk.
First off, what is a Phishing attack? Phishing can be defined as any attempt to trick users into giving away credentials, credit card numbers or sensitive business and/or personal information by posing as a trusted site, company or contact. These attacks can come from anywhere and are made to look like something you would normally click on without a second thought. That is what makes them so dangerous.
Even knowing basic scam-identifying techniques such as making sure you know the person sending you the email or checking to make sure the link URLs are not suspicious; can all be useless when it comes to a phishing scam. Attackers can mimic domains and URLs to make the message look like it is coming from a trusted site or contact and can re-direct traffic from an actual site to a fake one that is identical.
Above all training is key when it comes to avoiding a potential data breach due to a phishing attack. The more employees hear about phishing attacks and experience training in the area, the more likely they are to identify a suspicious email and report it. Most business do not have the time or a dedicated IT Security person to regularly educate their employees on the risk of a phishing attack. But keeping employees informed on a few basic tips is key.
There are several big types of phishing attacks that businesses of every size experience daily:
- Clone Phishing: Copying a legitimate email or page to trick the user into thinking it is coming from a trusted source.
- Spear Phishing: Targeted scams where attackers will research habits, trusted organizations, fellow employees and any other personal information to create an email you are more likely to interact with.
- CEO Fraud: Attackers will pose as a trusted authority, such as a CEO to gain sensitive information from within the company, such as W-2s or credentials to internal applications from the employees.
Even if your business does not have the time or personnel to regularly train for phishing attacks, there are still basic tips you can give to your employees to lower the risk of falling for a scam.
- Watch out for emails that have an urgent tone or are requiring immediate action on an account.
- Hover over links in embedded in emails to view their URL before you click on them. If the URL begins with an “HTTPS” it is usually a good indication that the site is secure.
- Beware of generic subject lines, even if it comes from an address you recognize. This is a telltale of a bulk-phishing scam.
- Be suspicious if a trusted website sends a request for you to re-submit your credentials randomly. Websites will not request for you to re-submit credentials unless you go directly to their website to log in. This is a security measure to prevent scams.
- Always report suspicious emails to your IT Department, Services Provider or Management. It never hurts to be safe rather than sorry, and risk exposing your business to a data breach.
Following these tips will help prevent your employees from falling victim to a phishing scam, but regular training and tools such as KnowBe4 and PhishMe are extremely helpful as well. Taking responsibility for the education of your employees on scamming techniques will help protect your business from potential attacks due to user error, which accounts for over half of all data breaches for small businesses.