Phishing in Your Company

There are common tactics phishers use to fool employees into opening harmful links, downloading malicious files, and providing passwords and other data that can seriously harm a business. Phishers prey on human emotion and error to achieve their goals. Cybersecurity professionals agree that employee education is a crucial component of cybersecurity. They feel it’s just as important as a company’s data security system. Below are some of the most common phishing tactics toward personnel and how to avoid being hooked, according to Tripwire.

1. The Lure: Deceptive Phishing

Beware emails claiming to be from a vendor or service provider. They frequently use subject headings and content with a focus on urgent business matters that require your input. They ask an employee to provide personal information and/or login to a bogus web page that steals their data.

How to Avoid the Hook:

Look for generic information in the email that is not specific to you. Phisher’s cast a wide net geared toward catching as many employees as possible and therefore avoid being specific. From the IRS to service providers, any legitimate company will not ask for sensitive information in an email or provide a link to a web page requesting it.

2. The Lure: Spear Phishing

This one is more sophisticated and can be tricky to spot. Phishers glean specific information about you from social media and other public postings and they’re not afraid to use it. Data used from previous breaches is quickly becoming the most vaulable information available. The more specific information a criminal knows about you, the more likely they can produce an inticing email. This is how criminals weaponize data. Data about you is just information, but turning that information into a malware delivery system changes the data into a weapon. Finally, custom domains are often used to make the email that much more credible. So the email may look like a PayPal email, but the email address is slightly off.

Can you spot the fake email address?

support@paypaI.com or support@paypal.com.

The first address is the fake... it has a capital 'i' where the lower case 'L' should be. This is an extream example, but there are 1,000s of attacks every day with this type of deception.

How to Avoid the Hook:

Avoid posting personal information anywhere on the web. Social media and other sites are trolled by phishers looking for an effective hook and they count on unsuspecting users. Practice common sense password security for every site that you log onto. Most importantly, Verify every unexpected link and attachment with a phone call or seperate email before clicking.

3. The Lure: CEO Fraud

Phishers assume the identity of the head of the company as the sender. Subjects and text require those in certain positions to provide financial actions such as payment to a bogus vendor.

How to Avoid the Hook:

Don’t hesitate to verify the boss’s email request, especially if it seems out of place. A quick phone call can avoid financial hacks, and overall, CEO’s would rather be safe with a phone call than sorry without one.

4. The Lure: Pharming

Phishers also use fake websites to gain your trust and information. They steal a company’s domain name and URL address to appear legitimate, usually providing a link to a well-crafted fake site that’s ready to heist your data.

How to Avoid the Hook:

Even the slightest doubt about a website should be verified. One quick way is to check the sites security certificate–legitimate sites always have one. First, make sure the lock icon appears to the left of the URL. Clicking on it will let you see the certificate status and view the details if you like. If a certificate isn’t present or is invalid, get out quickly and report your experience to the appropriate person or department.

5. Problem: Phishing for File Sharing

File sharing apps for business are an effective tool for stealing login credentials and downloading malware-infected files. Employees receive emails appearing to be ordinary requests for actions involving file sharing. When they act, phishers are waiting to pounce.

How to Avoid the Hook:

Check those emails carefully and look for grammatical errors and misspellings and always be aware of the service you are entering. Use encryption keys for login verification. If that’s not available, enable two-step verification. Any action toward verifying login information can help thwart a phisher’s goal.