Phishing happens when someone sends a malicious e-mail or sends a user to a malicious website that is meant to bait users into entering their credentials into a fake website under false pretense. Sometimes this involves e-mail information, bank credentials, PayPal credentials or other administrative access that a hacker could use to steal their identity or secure financial information. Phishing can happen with spoofed e-mail accounts claiming to be from an individual or business you’re affiliated with or via malware placed on your PC to steal credentials indirectly. During the 4th quarter of 2014, a record number of malware variants were detected: 255,000 new threats each day.
Want to keep your customers and business data safe from phishing attempts? Here are a few tips:
Educate employees on e-mail phishing warning signs.
Make sure that you educate your employees on what to look for:
- Look for typos within the e-mail
- Check the source e-mail address, as usually these are fake or “spoofed” e-mail addresses
- Use common sense: if a website doesn’t look official, don’t enter your credentials
- Login to the actual site rather than clicking on the link to look for similar notifications
- Be sure to use password variations between the different applications so that if one is compromised you don’t compromise them all.
Educate users on what to look for with links and websites.
You should remind your users that all websites where they have to enter their credentials should be checked for SSL (you’ll know this because the URL will read https://) and it will have the actual domain of the bank or other website that you’re trying to access. While this may seem very common sense, users sometimes rely on the appearance of a website rather than checking the URL. Just because a site looks like the organization's official site doesn’t necessarily mean that it is the official site. Always check the domain of any website where you’re entering your credentials.
Add an anti-phishing plugin to your web browser.
There are a number of anti-phishing plugins available for all browsers. These plugins monitor and detect potential phishing attempts on business machines. Engage your IT partner to ensure that these are deployed consistently and monitored as needed. There are different plugins based on the browser that the individual is using. This website has a few suggestions.
Know your industry.
Some industries are more susceptible and targeted than others. In the 4th quarter of 2014, according to the APWG Phishing Activity Trends Report, Retail/Service, Financials and Payment Services industries were most heavily impacted. Be aware of which industries are most heavily targeted. Take the time to discuss with peers at industry conferences or engage your IT firm for strategies to reduce risk. Industries that deal with sensitive information in volume are more likely to be targeted than professional services companies. Regardless, all businesses stand to lose sensitive information from a successful phishing attack.
Since phishing typically impacts users on a personal financial level, it’s not something that is often given much thought. However, with a little careful training and proactive measures you can ensure that your users and your business are protected from phishing scams.