The Phishing Expedition You Want to Avoid This Summer
It’s as easy for hackers to phish out your business’ personal data as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.
Malware attacks have become more pronounced than ever against banks. A report “The Invisible Web Unmasked” notes that just from July to September 2013, more than 200,000 new attacks occurred. This was made possible, in part, by the decision makers at banks (and other businesses) who fail to instill an anti-phishing mind-set in employees.
Despite the threat of malware attacks, many businesses continue to fail to teach employees about phishing scams, a favorite and extremely prevalent scam of cybercriminals.
One type of phishing scam is to lure a user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites. If a user visits that site, it will download a virus onto a device that will steal the user's online banking information, then forward it to a remote server, where the thief can obtain it.
But that ingenuity is contingent upon an individual's being gullible enough to open a phishing email and then click on the link to the malicious site.
And who are these gullible users? Probably someare your employees. One report by the security training firm ThreatSim says that 18 percent of phishing emails are opened on the job, Eweek reported. People in the workplace are being lured into clicking on a malicious link.
Though some of this might arise when employees are fiddling around with personal affairs on the company computer or mobile device, sometimes this clicking is done because the employee believes that an email is business related.
Decision makers should mandate monthly training sessions for employees to make them phishing-proof.
Without training sessions, employees will be led to believe that their company routinely communicates urgent information to them via emails with links. According to a recent report, one particular phishing operation netted a 27 percent click-response rate.
Another factor in the likeliness that a business’s device will become infected is if it has outdated versions of commonly used software such as Adobe Acrobat and Microsoft Silverlight.
Even if you believe that your company’s phishing attacks are minimal, a small amount of this type of cyber assault can result in significant costs to a company, involving such things as cleaning up the damage, plus employee downtime during the operation:
Employees should be cautious about the following, according to the Anti-Phishing Working Group:
1. Be careful about email from an unfamiliar sender. If it’s earthshaking news, notified will probably come in person or via a voice phone call.
2. Don't trust an email from an employee that requests personal information, particularly financial data, or to donate to a charity. Even if the message contains the name and logo of the business’s bank, phone the bank and inquire about the email.
3. Be suspicious of an email requesting credit card information, a password or a username.
4. Be wary of an email subject line that’s of an urgent nature, particularly if it concludes with an exclamation point. Never rush to click on an email no matter how urgent the subject line appears.
5. Consider never clicking on links in emails. To visit a site, do a web search to find it.
6. Use a password manager to access online statements instead of clicking on the links in estatements.
7. Keep the computer browser up-to-date.
8. If a form inside an email requests personal information, enter delete to chuck the email.
9. Use the most up-to-date versions of Chrome, Internet Explorer and Firefox offer optional anti-phishing protection.
10. Check out special toolbars that can be installed in a web browser to help guard a user from malicious sites. This toolbar provides fast alerts when it detects a fraudulent site.
11. Use anti-spyware, antivirus and anti-phishing software and a firewall.
12. Stay out of the spam folder. Most phishing attempts end up in spam and lots of fish get caught there.
Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.