You’re at your desk, working hard, when an email pops up. The subject line says “Urgent!” and it seems to be from your finance manager. The body of the email is short and to the point: your business has a big problem with payroll. The note addresses you by name and instructs you to download the attached spreadsheet to see for yourself how dire the situation is.
Naturally, you click.
Congratulations…you’ve just been successfully phished.
Instead of downloading a spreadsheet, you’ve just allowed malware to sneak onto your system. You’re infected. You probably don’t realize anything is wrong – cybercriminals like to fly under the radar and remain undetected for as long as possible. And depending on what the attacker has planned, any number of things could happen now. Your keystrokes could be captured – including usernames and passwords for important systems. Your company data could be stolen – customer data, employee data, financial data, you name it. Your network and data could be locked up until you pay a hefty ransom fee. See “5 Tricks Cybercriminals Use and How to Avoid Falling for Them.”
Think it couldn’t happen to you, that you’re too small to be a target? Here are some real-world SMB examples:
- In February 2016, the network and all computer-dependent activities of the Hollywood Presbyterian Medical Center, including CT scans, lab work, pharmaceutical and clinical documentation, were locked up and offline for more than a week after an employee fell for a phishing scam. The phishers demanded $3.6 million to release them so the 500-doctor hospital could function again.
- A phishing email sent on February 23, 2016, compromised 2015 W-2 information on all employees who worked for Central Concrete Supply Co., Inc., Right Away Redy Mix, Inc., and Rock Transport, Inc.
- An employee of a Pennsylvania drilling firm got tricked by a phishing scheme that resulted in a loss of $3.5 million. A local school district was almost tricked by the same scam into wiring almost a million dollars to cybercriminals located in Moldavia.
Phishing: Your No. 1 Security Threat
Phishing at its most basic level is an email that attempts to trick you into downloading malware or giving out personal information like your Social Security number, bank account information, username or password. Phishing has been around since the dawn of the computer age, and is astonishingly successful. Google estimates that 45% of phishing campaigns succeed.
Who’s vulnerable? You – and, especially, your employees. It’s essential to educate yourself and your employees to recognize the difference between phishing emails and legitimate ones, and not to fall for them.
Here are five general rules to help you avoid phishing scams.
- Be cautious when opening emails that manipulate you emotionally. Phishers understand human psychology, and will use all sorts of tricks to get you to open or respond to emails: promising free gifts, warning you that your account has been suspended or even an urgent security warning that seems to come from your computer technician should all be suspect if they ask for inappropriate information (like your social security number or usernames and passwords).
- Never respond to emails that request personal or financial information. Your bank or your employer will never ask you for bank account details, Social Security number or passwords by email. The email requesting this information may look absolutely legitimate – it can have the right logo, even the right design and typeface, of a reputable company – or it may even seem to be from someone you personally know and trust. Still, always delete these without replying or taking any action. If ever in doubt, call the bank or the person the email is supposedly from to verify that they sent it.
- Never go to your bank’s or a vendor’s website by clicking on a link included in an email. Do not click on hyperlinks or links attached in emails, as they could take you to fraudulent websites that lure you into “logging in” to your bank or other high-value e-commerce account. These fraudulent websites might look absolutely genuine, but what you are really doing is handing over they keys to your accounts to criminals. Type in the URL directly into your browser whenever you want to visit a financial or e-commerce website.
- Check that the websites you visit are secure. If the websites you visit are on secure servers, they should start with https:// (the “s” stands for “security”) rather than the usual http://. Never enter personal or financial information except into an https web page.
- Keep your computer secure. Phishing emails often contain spyware and keyloggers (programs that can record your keystrokes and what you do online) or create a back door to allow attackers into your computer. Make sure you have antivirus software and that it’s up to date to catch these malicious programs before they can do harm.
Always Report Suspicious Activity
The question isn’t if you’ll be phished, but when. Every employee is a potential entry point into your organization’s network or computer environment. You need to stress this by training every employee on phishing tactics. You can even have them take a test and see how good they are at identifying suspicious emails. If you receive a suspicious email, forward it to the organization that was used to attempt to phish you – your bank or e-commerce site, for example. Also, tell everyone within your company to watch out for similar emails; a typical ploy is to send the same email to many employees of a specific company, hoping one of the workers will fall for the scam.