An administrative assistant gets an email from her boss. He needs some iTunes gift cards for clients; can she pick them up right away? Since there are limits to how many she can purchase at one location, he asks her to go to several stores to buy them. When she’s got them all, he tells her to send him the codes.
She follows his instructions. However, while the email she received had her boss’s name in the “from” field, it wasn’t really from him.
This is called phishing; a security attack that those in IT network support services see often. Phishing is that “bank error” email that’s not really from your bank. Or a text like one described by an Orange County Sheriff asking recipients to call and get help with their disability benefit issues. If you get an email telling you “you’ve just won $100,000,” from a contest you didn’t enter or a Facebook message from a friend that says “Watch this! LOL!“, there’s a good chance you are being phished.
Gift card scams like the one above are a subset of phishing called spear phishing that targets an individual or a company. For example, someone pretending to be a company’s CEO sends a request to someone in payroll for direct deposits to be re-routed, or asks an employee to download an “important document” that contains harmful software.
Phishing can be stopped with proper employee training and education, while poorly-trained employees unwittingly may agree to costly and harmful requests.
How do companies protect themselves from phishing attacks? Here are three top strategies:
It’s easy to assume that our co-workers are as savvy as we are. You would never send your bank account number to a Nigerian prince, therefore no one would ever do it. Yet, there are people who do get taken in by these scams. The larger the company, the more likely it is to contain someone overly trusting. A phishing attack aimed at 100 employees of a company succeeds when only 99 of them do the right thing.
Employees need to be able to recognize spoofed emails and fake websites. Most importantly, they need to understand that email is inherently untrustworthy. If an employee’s first response to a request for funds or sensitive documents is to pick up the phone and verify that request before taking action, the phishing attack will always fail.
Implement security warnings:
Phishers often spoof people or companies. An email that at first glance is from email@example.com might actually be from firstname.lastname@example.org. IT network support service professionals can configure email servers to check for out-of-domain emails; employees will think twice if that email from their “boss” has, in bold letters across the top, “WARNING: THIS EMAIL IS FROM OUTSIDE YOUR COMPANY’S DOMAIN.”
Test your defenses:
Running your own test phishing scam can tell you who is susceptible to security attacks. You could, for example, send a mass email to employees asking them to enter their password into a fake site you create. Those that do need extra training.
Our Leveldesk IT network support services group has helped many companies protect themselves from phishing attacks with these and other techniques, especially companies near our offices in New York or southern California. If you’re worried about security vulnerabilities, give us a call (212-658-0995 or 949-543-1500) or use our email contact form.