Gone are the days when phishing attempts were easy to identify and limited to emails only. While malicious messages are nothing new, they are becoming more sophisticated and harder to pick out from legitimate business communications. They also come to us through text messages, social media chats and even phone calls.
A few simple actions with one of these messages can turn into a problem that quickly spreads across digital channels and devices, but there are things you can do to defend against phishing attacks and resources that can help.
Vice President, Corporate Information Security Officer Jamie Neumaier knows a lot about managing security threats. Jamie leads an information security team that works to ensure that the people and systems at Erie Insurance remain as secure as possible. He answered questions about phishing scams targeting businesses and provided some helpful security tips.
WHAT IS Phishing?
Phishing is malicious activity where criminals attempt to gain access to user information, data or devices. The goal is to get you to act without taking a moment to think, and when you do, the phishers can:
- Get access to data and information that they can leverage.
- Install malware on your system.
- Ask you to reveal your personal financial information for the purpose of stealing money or your identity.
- Access your email and send other malicious messages to your contacts to exploit others.
ARE COMPANIES ESPECIALLY VULNERABLE TO NETWORK CLOSURE?
Yes. With more work being done digitally, businesses of all sizes are susceptible to attack. Attackers also assume that small businesses don̵7;t spend a lot of money or effort on their security measures, making them a potentially easier target.
Phishers can easily find your contact information online and be reasonably confident that any message they send you will at least be opened because you are in an industry where you are responsive. Phishing messages have also become sophisticated, so it is easy to be convinced to visit a malicious website or download an infected file that comes in a message that looks legitimate. If they happen to be the type of phishers who call you, they can be very convincing by letting you follow their detailed instructions to give them your valuable information or install their malware.
HOW TO DETECT A PHSHING ATTACK?
Phishing messages that are poorly written, offer you large sums of money, or ask you for financial help have been common for a long time. Most of us know not to open, click or respond to these messages. As mentioned above, phishing attempts are not limited to emails either. Hackers are now using phone numbers as your mobile number to call you and try to get you to reveal sensitive information. They can also send you text messages.
More recently, phishing emails have been designed to look like other emails you might receive. They may appear to come from someone you trust such as a bank, friend, software vendor, retailer or supplier, but usually the timing of the messages is unexpected.
For example, a common technique is for a hacker to gain access to an email account through a phishing attempt, then access the account and reply to a real email conversation with a malicious link. So when the recipient receives this email, it looks like a continuation of a previous conversation, but it asks the recipient to download a document or enter their credentials.
HOW CAN PHSHING ATTACKS BE PREVENTED?
During the daily business between you, your employees, customers and other consumers in general, know what you are working with. If you receive a message, phone call, or email that is unexpected or just seems a little unexpected, verify the validity of the message before taking action. Call the person who appears to have the message and ask if he or she sent it. If the answer is no, it is a malicious message.
OTHER THINGS YOU CAN DO:
- Enable multi-factor authentication (MFA) services on as many things as you can, such as your email. If you happen to fall for any of the phishers’ tricks, having this extra layer of protection will help greatly reduce their chances of taking over your email or other targeted account
- Keep your software and devices up to date. The latest updates for Microsoft Office products, operating systems, third-party applications such as Adobe Reader, and smartphone operating systems contain patches that protect against the latest security issues.
- Hover over a link in an email to display the URL. If it looks suspicious, don’t click on it.
- Use a modern endpoint protection program on your devices. They are often provided by mainstream and well-known security brands such as McAfee and Norton. Microsoft also offers endpoint protection for Windows and other applications.
- Always back up your data, allowing you to return to business as quickly as possible should you fall victim to an attack. Test your backup processes periodically to ensure they are working as expected.
- Train your employees on good cyber security practices such ashow to identify phishing attempts and spam emails. According to the World Economic Forum, up to 95% of cyber security problems can be traced to human error – so staff training is important.
- Look at the extension on Microsoft Word attachments. Most users have updated their Microsoft products so that Word documents end with .docx. If you see the deprecated .doc extension, question it.
Also, keep in mind that if you are the victim of an attack, you may not know immediately, and the first indication may be your customers receiving an unexpected message from you. Unfortunately, a customer calling to verify something you sent (but have no intention of doing) may be when you know you’ve been hit.
If customers call and ask if a message is legitimate and after you’ve confirmed whether you sent the email, give them the same advice you use in your own business.
- Did the customer expect to receive that email?
- Does the link or URL lead to a legitimate, expected URL?
- Is it asking them to open a suspicious document they weren’t expecting?
- Does it ask them for user IDs and passwords threatening to remove or disable their access?
Answering these questions can help both of you decide if the message is safe.
Phishing is constantly changing and evolving as perpetrators adopt new techniques and forms, so it’s important to have a good security plan in place and watch out for new attacks to protect your business. A well-trained team that knows how to spot a suspicious message can also be a good defense against phishing attacks by being able to respond to an attack instead of just reacting with a quick action.
The right protection for your business
Contact us today to learn about some of the smart and affordable ways to protect your business. For example, Cyber Suite from ERIE1 can help you overcome an incident where your customers’ or employees’ non-public, personal information is compromised and you need to notify them of the breach. It can be purchased and added to one business insurance.
1Cyber Suite is only available to customers with an ErieSecure Business® policy. Cyber Suite coverage and related services reinsured under a contract with Hartford Steam Boiler (Home Office: Hartford, Connecticut). © 2021 The Hartford Steam Boiler Inspection and Insurance Company (“HSB”). All rights reserved. This document is for informational purposes only and does not change or invalidate any of the terms of the policy and recommendations. For specific conditions, see the coverage form. Coverage not available in New York.