As technology connects the world more and more, we find our important information at greater and greater risk of compromise through cyber attacks. However, as complicated as the techniques used by hackers have gotten in the decades since the creation of the Internet, the most common security risk is nearly as old as the Internet itself. Phishing is a strategy whereby a hacker will contact someone via email, pretending to represent an important person or organization, such as a bank, an admin from a social media website, or someone claiming to have money from a lottery. This acts as a point of trust, whereby the victim of the phishing attack with voluntarily give up sensitive information, such as usernames, passwords, Social Security Numbers, credit card info, etc.. These sorts of scams are commonplace and continue to source millions of dollars in profit for hackers and other cybercriminals. Phishing scams take advantage of human psychology, and so while many people are susceptible to such attacks, there are many precautions one can take to avoid falling victim oneself.
The most tried and true defense from phishing techniques comes from employee education. Since new phishing techniques are being developed constantly, businesses and organizations need to keep their employees up to date on how to spot common phishing attempts. IT departments at companies should run periodic phishing drills and employee training to keep their coworkers up to date on the dangers.
Most of the time, phishers will attempt to collect important company information by having them click on a link, or log into a scam website to collect usernames, passwords, keys, etc.. While everything may seem legitimate at first, there are many telltale signs to distinguish a phishing email from an official email. For example, phishing emails will not be specific; rather than naming the recipient will say something vague such as “Dear customer” in the tagline. Furthermore, upon closer inspection, many phishing emails contain misspellings and other inconsistencies. It is important for businesses and their employees to think before they click and to never give out sensitive information to an unverified source. When in doubt, one should verify with the source where the email claims to be from, to verify if this information is being requested. Furthermore, many companies, banks, etc. which deal with sensitive information, make it a point that they will never email to ask for this information through email.
Many browsers nowadays have plugins and software which will inform users if a website, download, or link is safe or not to interact with. Make sure any company computers have such software installed and kept up to date. This software comes with most popular browsers for free.
When accessing a website, it is natural to be wary of sharing any sensitive (esp. financial) information. However, if one can verify the security of a website this shouldn’t be a problem. Businesses and employees should make sure the connection to a website is secure by checking the URL. The URL should begin with https:://, referring to a secure hypertext transfer protocol. If this is not present, it is most safe not to share sensitive information along this connection, as it could be a link to a compromised or malicious website.
It is very important for an organization to have security measures up to date on the backend. Investing in a quality firewall is key here. The firewall effectively creates a closed network of computers, protecting computers within the company’s firewall from outside interference. There are two types of firewall; a desktop or software firewall, and a server or hardware firewall. When used in tandem they can act as a great protection of sensitive information and company networks from hackers and other cybercriminals.
That being said, an extra layer of protection can be enacted on the software side. In addition to firewalls, companies should invest in high quality anti-virus software. Antivirus software lists common technological loopholes and weakpoints, and prevents malware from exploiting these. It is of great importance that this antivirus software be kept up to date. As mentioned before, all sorts of new hacking techniques are being developed all the time, so keeping technology up to date will protect users from most known forms of attack.
Lastly, beware of pop ups. Oftentimes, pops appear pretending to be from legitimate companies and organizations, while truly waiting for someone who’s inattentive to click on the link, exposing their computer and their network to all sorts of malware. Most browsers come with popup blockers, and the software is easy to install and keep up to date.
To recap, while phishing poses a great financial and security risk to many companies, small and large, there are many steps individuals and organizations can take to avoid the full brunt and cost of these attacks:
Employees should be kept up to date on the sorts of common phishing practices, and IT departments should test this knowledge through regular phishing drills and training.
Many software solutions exist to combat the problem, including firewalls, popup and ad blockers, and browser extensions.
Employees and businesses must stay vigilant and be on the lookout for any sort of suspicious communication, and report it to their IT departments to allow the collective knowledge of cyberattack methods to grow and expand.
There is no one way of preventing and avoiding phishing attacks. However, with the right mindset and preparation they are avoidable, and millions of dollars and company reputation can be saved and preserved. With these aforementioned precautions, you will find your exposure to cyberattacks greatly reduced, and trust that your sensitive information will be much more secure. There is no need to constantly worry about these sorts of attacks if you make sure your organization is prepared through the right mixture of human intelligence and software protection.
Stay safe, and stay diligent.