There was a time when all you had to worry about was a computer virus on your computer. Then there was malware, then there was ransomware, and now one of the biggest risks to consider are phishing attacks. These attacks will become more common as AI tools get more sophisticated.
The first thing you may want to know is: What is phishing?
Phishing is a discipline used by fraudulent actors to try and trick you into giving access to important accounts or data, hoping you will make mistakes because you believe the request is coming from someone who is legitimately authorized to make the request.
Examples of phishing can be emails that pretend to be from your bank or boss. It can be texts that look like they are coming from your senior leadership but actually are not. These kinds of phishing attacks have become much more common than they once were, and you now need to pay extra attention to ensure you are not scammed by a clever hacker or an AI bot running a script.
In this article, we are going to cover the three most important things you can do to ensure that you are not a victim of a phishing scam. These are the same tips we give our hundreds of managed IT clients, who trust us to keep their companies and data safe.
Tip #1 – The Best Offense is a Good Defense
Before emails are routed to people who will have to make decisions about opening emails and files, there needs to be a mail filtering program in place. Our tool of choice is Mimecast, but there are other tools on the market that do similar things. The key is to trap the email and even teach the system what to look for in order to help avoid Day 0 threats as well as known threats. A Day 0 threat is a threat the system has never seen before.
Depending on people to always make the correct decision with their emails is not a good plan for the future. As staff is busy, and phishing scams become more sophisticated, it is not reasonable to expect your staff to identify and recognize all potential sources of phishing attacks, and it is better to protect them before they even have to make a decision.
Tip #2 – Have Standards in Place and Make Sure Everyone Knows the Standards
What we are referring to here is having systems in place for how communications will happen. If the CEO asks for the online banking username and password, should the staff send it? If there is a request from the marketing manager for $2000 in Apple gift cards, do I buy them and send the codes? These are decisions that are better made before an event triggers the question.
Our suggestions on best practices are as follows:
- Never give out online banking information unless you actually have a conversation with the person asking and they have a legitimate reason to need it. Since money wires can be initiated from banking portals, this is a mistake most companies cannot afford to make.
- In terms of requests that require purchases, again, we would suggest having conversations first, or at the very least establishing a maximum amount like $200 before that conversation is required.
- Don’t give out personal information like Social Security numbers when it is requested. This should be something you want to provide. If your payroll company asks for it, for example, do it through the portal and not over the phone. These people can sound convincing, so you need to be sure it really is the payroll company and not a scammer.
- Don’t pay invoices if you don’t know what they are for.
- Avoid clicking on links from companies that seem legitimate, like Paypal, Amazon, Netflix or a bank that says there were unsuccessful login attempts. This can be used to get you to click on a link that helps the phishing group get into your network.
- Be vigilant to look at attempts from texts that claim to be a boss at your company to validate the phone number and call the sender if necessary to confirm the validity of the request.
- Set up 2FA on all your most important accounts so that even if the hackers have your login, they still cannot access your account without your email or cell phone.
Tip #3 – Act Quickly if You Suspect You Have Been Hacked
It is possible, with standards in place and tools that help block phishing attempts, that some hackers could still make it through and be able to get sensitive information. This is not the time to schedule company meetings to tell everyone what went wrong, it is important to close the loop as fast as possible (there is time later to discuss what happened with your team.)
This could involve changing passwords and usernames, calling your credit card company, or having your computer and network scanned to look for malicious files. Having a partner like Novatech helps as we are able to help you create a game plan from helping your team not get the phishing attempt all the way to working with your team to scan the network and computers if you have made an error.
We take data security seriously and have a passion to help our clients avoid phishing and malware attempts. We would love to help your company get the protection you need. Contact us to discuss how we can help you avoid phishing attacks.