Losses to businesses and private citizens from phishing scams have grown progressively in recent years, and the trend is expected to continue. Some scary statistics on phishing scams include:
- 76% of businesses reported phishing attacks in 2018 alone
- The average cost to even a mid-size business from a phishing attack is $1.6 million
It’s enough to scare even companies that believe their networks are impenetrable or those armed with multiple layers of security from malware detection and antivirus software.
Understanding how they work and how to recognize them is often the best way to prevent phishing scams and the havoc they may generate to businesses and individuals.
However, the dilemma for businesses is how to recognize and prevent phishing scams.
What Are Phishing Scams?
Cybersecurity is forefront in the concerns of every business and government agency. The sophistication of hackers and their phishing techniques is increasing, with nearly half of all emails sent today consisting of spam. Try as they may to detect and block phishing attempts, businesses continue to fall prey to these unethical cyberthieves.
What exactly does “phishing” mean?
Most common phishing attacks utilize an email sent to individuals or employees at a business the hackers want to penetrate. These emails appear to be either from another employee that the recipient knows or from a legitimate company such as a bank or other financial institution.
Often these emails request confirmation of confidential information, asking the potential victim of the phishing scheme to click a link which also looks legitimate. There may also be a document included that users are encouraged to open – often with tempting offers such as obtaining a free gift card or another incentive.
The problem is that once the link is clicked, or the document is opened, the damage may be done. Imposter websites may scavenge personal information from the unwitting user’s computer, and attachments can unleash malware, ransomware, or viruses to the company’s network.
Phishing schemes often attack large numbers of email addresses obtained from unsuspecting sources such as social media or through hacking a single corporate computer that has access to email address books. It only takes a few individuals who reply to an email or click a link to make the cybercriminal successful – and to create pandemonium for businesses.
Recognizing Phishing Schemes
There are many attributes of phishing schemes that should raise a red flag to anyone receiving such an email:
Links that don’t look correct – or have content that appears – well – phishy. Such links may contain words that are similar to a vendor, banking, or eCommerce site but have slightly different spelling or add suspicious elements to the URL. If a link should appear such as https://paypal.upward.com, it’s likely NOT a real PayPal site. If they’re asking a user to log into that site, it should be avoided.
Links without the HTTPS designation and/or the lock symbol are dead giveaways that the site is not secure – avoid clicking such links.
Receiving an email from a known party that has content that seems out of character should never be opened or receive a response. Instead, the source should be contacted through another method to verify whether they genuinely sent it. This could indicate that someone’s social media account and email list was compromised.
Avoiding Phishing Schemes
There are several steps that businesses can take to improve defenses from phishing attacks.
Education
Employee education is the most important barrier against phishing vulnerability. Every employee who has internet or email access must be well-versed in detecting phishing emails. The policy should specify some of the basic rules to avoid falling victim to schemes:
- Never click links in emails from unknown sources
- Never open attachments from external emails – or that are unexpected from peers
Make employees aware of conventional phishing techniques such as emails that contain attachments with such tempting content as “invoice attached” or “immediate attention required”.
Other email content that should be deleted without opening or clicking:
- Any email that requests personal information or account confirmation
- Emails that contain warnings or demands for a prompt response
- Messages that claim there is a problem with your system
- Content that presents itself as being from a business, but includes misspellings or poor grammar
- Emails that contain suspicious-looking or questionable links
Education is not a one-time exercise. Employees should be oriented on best-practices for handling emails regularly.
Antivirus Software
Utilize antivirus software and malware detection on every computer, and keep them updated. Hackers are continually developing new techniques to avoid cybersecurity attempts to keep them at bay. Keeping software current ensures utilizing the latest virus database available.
Keep operating systems updated with security patches regularly, including updating internet browsers.
Backup Data
To reduce the potential impact of a successful phishing attack, be sure that critical data is backed up regularly to other computers or other media. Some attacks may corrupt or destroy existing data files.
Employ Security Safeguards
Make it a policy and an enforced practice to utilize strong passwords, and change them frequently. Multi-factor authentication (MFA) is increasingly used to provide an extra layer of security. This method provides for two independent credentials before a user gains access to applications.
Managed IT Services Can Help
Education, antivirus software, and updated browsers and operating systems are essential tools for avoiding phishing scams. Doing Better Business offers complete managed IT services to our clients, including increased security from phishing attacks.
Contact Doing Better Business to discuss cybersecurity at your business with our Managed IT pros.