Don’t let your employees get fooled by an online criminal.
More and more criminals are using the Internet to get a hold of sensitive data, which they then use or sell for their own profit.
The most common type of attack is phishing.
Phishing is when an online criminal impersonates someone the target trusts, and tries to trick them into providing personal information by clicking on a link that contains spyware, or even requesting the transfer of money to a bogus account.
An alarming number of people use the same password for multiple sites (https://cisecurity.org/reusing-passwords-on-multiple-sites/). So, if the attacker were to get credentials to even one site, it’s possible (even likely) that their victim uses the same password on other sites giving them access to even more of the victim’s personal information.
Example of a Phishing Email
You receive a phishing email that directs you to a site to “update” your address or other information with the results going directly to the attacker.
How does Phishing Work?
A common form of Phishing works by sending the target an email that looks and feels legitimate and contains what appears to be a link to a familiar website. This maliciously crafted website is made to look exactly like what the user expects, and even the URL is likely very similar to the site the user would expect (e.g. tvvitter.com instead of twitter.com).
Once on this site, nothing seems wrong to the user as they put in their information to login, or update their profile. At that point, some phishing sites may say the password is wrong in the hopes another one gets entered (more passwords to try on other sites). The more sophisticated attacks could even redirect the user to the legitimate site, completely hiding the phishing from the target.
Basic Phishing Awareness Tips:
- Attackers will sometimes intentionally include poorly worded sentences to increase the chances they are getting the least ‘aware’ users to click.
- If your were not expecting an email about a website / account, don’t trust it.
- Be very wary of popups or emails offering to clean your files of viruses or fix other computer issues.
- If you’re suspicious of an email, alert the person responsible for your IT support immediately and do not follow the link.
Educating Your Employees
There are services which help businesses teach their users about phishing attacks. It is obviously in a company’s best interest to educate their users. The easiest way to lose control of sensitive data is to have a user’s account credentials leaked. Any information available to that user over the internet would then be compromised. This might even include VPN access into the company network.
Services run by companies like KnowBe4, PhishLabs, and Wombat Security help educate users to avoid falling victim to such attacks. Most work by first having users take a short online class on phishing. Periodically, fake phishing emails are then sent to users and follow-up taken based on how users responded. Just knowing they will occasionally be tested with fake phishing emails keeps users on the lookout.
Contact us if you would like more information or if you have any questions.