Phishing, a scam that feels almost as old as the internet itself, is actually on the rise. In 2018, 26,379 people fell victim to phishing, collectively losing over $48 million, according to a report from the FBI’s Internet Crime Complaint Center. That’s a significant increase from the $30 million that phishing victims lost in 2017. As hackers and fraudsters show no signs of slowing down, your company needs to train all employees to recognize and prevent phishing and related data breaches.
Trust Your Gut
The crux of any phishing scam is to trick victims into believing a request for sensitive or personal information comes from a legitimate source. Phishers typically contact potential victims through emails or text messages that, at first glance, appear real. The message may even use the company’s banner and logo. A close look may reveal flaws, but it’s often it’s too little, too late. All a phishing message has to be is convincing enough – then, it takes just one click to give phishers access to your data.
Phishing messages generally open with a story that creates a sense of urgency or panic and prompts the victim to click on a link or open an attachment. A phisher might send you an email on behalf of your bank regarding “suspicious activity,” or a text that you’re eligible for a government refund – but only if you act quickly enough. In corporate situations, employees may receive an email from someone impersonating a superior asking them to open an attachment, visit a webpage, or purchase a gift card. The scammers don’t expect everyone to fall for it, but they can count on a few people letting their guards down and clicking without thinking.
Still not sure if you could spot a phishing scam in the wild? Here are a few warning signs to look out for:
- An incorrect email address. Phishers often create email accounts with company names in the address that are slightly different from the official email address. For example, a phishing email might be from email@example.com instead of the real address, firstname.lastname@example.org.
- A generic greeting. If you have an account with a business or bank, the email would likely use your first name instead of saying “Hi Dear” or “Hi Customer,” as a scammer might.
- A request for sensitive information. In general, companies will not ask you for information like your Social Security number, account number, or password over email or text.
- A message from a company with which you do not have an account. If you receive an email or text message urging you to update account information for an account that does not exist, it’s at best a mistake and at worst a scam.
- A wrong, but almost right, URL. A phisher might direct you to a website like www.paypa1.com instead of paypal.com.
- Spelling or grammatical errors. While everyone makes a typo here and there, consistent errors are unlikely to remain in official company emails.
When in doubt, don’t click links or open attachments from messages requesting payment or account information, especially when you have no reason to expect there is a problem. You can always search for the company’s contact information online and speak with a trusted representative to determine if the message is legitimate or not.
“It won’t happen to me.”
No one thinks they’ll get scammed – until they do. Intelligent, tech-savvy people can become tired, distracted, or overwhelmed and click without thinking. Falling victim to a scam – especially if the scam results in a significant loss of money – can be humiliating. It’s important that companies are clear that phishing can happen to anyone and that employees should always report phishing attempts, successful or not. During training, reassure your employees that all reports will be confidential and that alerting the company is always better than attempting to resolve the problem alone.
Today, companies handle a lot of sensitive information. There’s no time more critical than now to train your teams on data security, with a special focus on scams like phishing. What’s more, remote working is more common than ever. Compliance training programs can help ensure that employees are protected and compliant, even when they’re out of reach of an IT colleague and using personal devices with weaker antivirus software than that of company computers.
Getting off the hook
While your training should be specific to your company and the particular cybersecurity threats your employees may face in their day-to-day work, there are general tips that apply to everyone.
- Never open links or attachments from emails requesting sensitive information
- Never share personal or company information over the phone or via email
- Regularly change your passwords
- Use multi-factor authentication to flag phisher attempts to log into your accounts
- Set your phone and computer software to update automatically
- Report phishing attacks to the FTC at ftc.gov/complaint
- Install and update antivirus software on company computers
- Install an ad-blocker or spam filter on company computers
- Encrypt sensitive company information
- Train employees to prevent and report phishing attempts
Want to get a leg up on phishing scams? Talk to the Interactive Services team to find out if our Data Privacy Compliance Training Program can help protect the health of your business.