Training your employees to understand Phishing
Phishing attacks are reported to us now on a daily basis. Our own office has at least one attempt a week. They are not simple like before… the rich prince in urgent need of transferring millions of dollars may not exist, but the criminals do, and they want your money.
Criminals these days do their homework. They check your website, they look on LinkedIn for staff names and titles. They try to hack your customers, your suppliers and find patterns in your email and communications so that when they intercept you with a Phishing email or phone call, they have all the information they need to take your money.
Here are 7 things that you need to teach your employees about Phishing.
1. Phishing – What is it.
It is a fraud where the criminal/hacker will attempt to gather your personal information by impersonating a legitimate source or linking you to a website or realistic looking web location to trick you into typing in personal information or a password or to get you to download a malicious piece of malware/spyware software on your PC/device.
2. The person you think you are dealing with, may not actually be that person
Just because an email comes from email@example.com it does not mean that this is in fact Joe Bloggs you are emailing. It is very simple to spoof an email address, especially if the sending email system is not well setup. Even if it is setup to a typical level, it is still possible for the mail from Joe Bloggs to arrive from his address and end up in your Junk Mailbox. Never trust mail that was first in your Junk Mailbox unless you verify it with an IT expert. (That is not your friend who “dabbles in tech or IT” by the way). Call your IT team!
3. Never EVER transfer money OR change bank account details without speaking to someone.
This is by far the most common method that the hacker / criminal will eventually try to convince you to do. While pretending to be a legitimate customer, supplier or contact. Remember, they just did a month of research on you and your company. They know already that you are dealing with X supplier and your emails look a certain way, especially if they already hacked your supplier or customer!
There is one simple rule we suggest you implement. All Bank account changes and money transfers have to be confirmed verbally by an approved contact, or if that is not possible, in writing from two different people. It is SO simple to do a quick internal call to someone to confirm if they have requested the bank account change. It is the first thing a hacker will try to get you to do.
4. READ the sender address, and look at the email layout.
We get a lot of emails from customers asking “Is this a legitimate email” when it is very obvious that the sending address is completely different. Any email that is asking you to click a link or send some information should be immediately treated as “one to check”. Look at the sender email. If it says something other than the obvious, bin the email.
5. Hover over links in emails before clicking them.
Most employees do not know this. If you are in an email and you hover the mouse over the link (without clicking the link) it will show you the address that the link is about to send you to. If it looks in any way dodgy, don’t click – ask your IT team!
6. If it’s a demanding email, it’s likely a scam
“Your account will be closed”
“If you do not take action now, the company will be suspended from trading”
“You must action this email before the close of business today”
Unless you are expecting such a mail, avoid it.
7. Just because it has the company logo, it doesn’t mean it’s legitimate
The email may have the Apple or Microsoft logo in it, but that does not mean it came from those companies. Be wary!
In summary, people are trying to trick your employees every day. Some technical things can be done by IT companies to assist in protecting your company, but nothing will protect you against an employee essentially opening the front door to your building – and at the same time the safe and all the interior doors. Give your staff the information they need and remind them on a continuous cycle about these threats.
Your IT teams need to know about these emails or targeting messages. (Remember, it’s not just email. It can and will be phone calls, text messages, Whatsapp messages, you name it). Ask your staff to notify IT as soon as they see something that is not right, and get the IT team working on blocking the attacks.
Finally, it is important that you do not make your staff feel guilty or afraid to report it if they are tricked.
We have seen people, including in our own office *almost* click a link in an email because these criminals are very good at tricking us all. Some better than others, and timing is everything. One such example was a user that was working on resetting their Apple ID about 10 minutes before they got a mail pertaining to be from Apple which was in fact a Phishing attack. That user clicked the link, and luckily the Cisco Umbrella system we had implemented blocked the link that was clicked.
Make sure that your staff have a quick and easy way to reporting these attacks. Maybe reward them with something small? Free lunch? Gold Star? Whatever works in your organisation.
Report the fraud if you are caught out
If you unlucky enough (especially if you have sent this article to your staff and it still happens) to get your data/money stolen. Follow a written procedure, which may form part of your new GDPR policies.
- Contact your financial institution immediately
- Contact the Garda Fraud squad
- Work with IT on establishing what happened.
You might not get your money back, but you may prevent against it happening again in the future.
If this has happened you recently…
Let us know if you want help addressing this issue with your staff, and call/contact us today at these numbers and email address:
Limerick : +353 61 386 600
Dublin : +353 1 901 1234
Cork: +353 21 603 0707