Phishing in today’s web-centric world is more dangerous than ever. It is an omnipresent security threat to your business, your employees and your personal welfare.
Phishing is a scam where someone sends you a bogus email that attempts to fool you into revealing your passwords, login credentials, credit card numbers, banking information or other sensitive information. While phishing is a problem that often hooks individuals, attackers are now targeting businesses more frequently than ever before.
Why? First, businesses offer multiple points of entry — an attacker doesn’t need to go after a technically savvy CEO when he can fool a low-level employee in accounting. And second, when the infamous Willie Sutton was once asked why he robbed banks for 40 years, he responded “because that’s where the money is.”
The Anti-Phishing Working Group (APWG) is one source, in fact, that reported more than 92,000 phishing attempts each month in 2016, with 76% of companies falling victim to at least one attack. APWG, with membership of more than 2,200 institutions worldwide, is an international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors.
So … what can you do?
Before we tell you more about CranstonIT’s partnership with KnowBe4 — the world’s most popular integrated platform for security awareness training — we’ve come up with five signs that identify scam email messages and the potential threat of a phishing attack. Let’s start with these “business beware” indicators.
1. An email asking you to reveal confidential information.
Red lights should start flashing with any email asking you to reveal personal information, expose your login credentials, sign a document online or open an attachment that could potentially install malware. If you think the message might be legitimate, confirm the request “out of band,” which means using another form of communication. For instance, if an email message asks you to log in to your bank account “for verification,” call the bank using a known and valid phone number and ask to speak to an account manager or someone in security.
2. An email from a sender you don’t know.
This is the email equivalent of “stranger danger.” If you don’t know the sender of an email that’s asking you do something out of the ordinary, treat it with suspicion and certainly don’t respond to the request. While you shouldn’t be entirely paranoid — as business involves contact with prospective customers or partners, after all — just beware of individuals or institutions asking for anything unusual.
3. An email from a large company asking for information or action.
Attackers often forge emails so they appear to come from a big company like Apple®, Google or PayPal. These companies are fully aware of the problem, and they never send emails asking you to log in to your account, update your credit card information or the like. Since sample emails from large companies are easy to come by, just beware these phishing attacks can look a lot like legitimate communications.
4. An email from a trusted source asking for sensitive information.
The most dangerous form of phishing is spear phishing, where an attacker personally targets you. A spear phishing attack involves an email forged to appear it’s from a trusted source — such as your boss, a co-worker, your bank or a big customer — where the attacker might even have taken over the sender’s account. The email then requests you to do something that reveals sensitive information or even worse. In one famous spear-phishing incident, employees of tech firm Ubiquiti Networks were individually fooled into wiring $46.7 million to accounts controlled by the attackers. Yikes.
5. An email containing numerous errors in spelling and grammar.
Many phishing attacks come from overseas, and attackers from other countries often write incorrect or fractured English. If you spot atrocious spelling, grammar or capitalization — no matter the alleged source of the email — it’s probably fraudulent. Keep that in mind before you hit “send” on your own sloppy email!
One of the best ways to educate employees about the dangers of phishing is with security awareness testing and training.
CranstonIT and KnowBe4 can provide the strategy your team needs to recognize and then manage the IT security threats triggered by social engineering, spear phishing and ransomware attacks. Using a host of IT security training tools that range from password hacking to domain spoofing to ransomware simulation, KnowBe4 can help raise user awareness and ultimately bolster your company’s bottom line.
With KnowBe4, we can additionally offer a best-in-class phishing simulation and training platform that will improve your organization’s last line of defense — your human firewall. It will enable your employees to make smarter, more educated security decisions every day.
KnowBe4 training is now available from CranstonIT. For a no-obligation assessment of the training subscription right for your organization, contact us at 888-813-5558 or firstname.lastname@example.org