How to limit risks from phishing threats
Employee training and awareness are essential in preventing malware, breaches
Email phishing and spear phishing are quickly becoming more sophisticated, and more targeted, than ever before. It is critical that you understand these threats to your network. Awareness of key threats will enable you to employ practices and behaviors that limit your risks.
Email phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Email spear phishing is similar, but the difference is that the attack is targeted toward a specific key person or group. Spear phishers thrive on familiarity. They typically already know your name, email and other information, which is easily gathered from social media.
The Sony, Anthem and Target breaches all began with a phishing scam. Once a malicious link is clicked on, cybercriminals use techniques like hiding downloads of malware on your system, placing keyloggers on your PC to capture keystrokes, or using different forms of ransomware to extort cash from victims by encrypting your data and demanding cash for the data back.
Unfortunately, even the best security technology in the world can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources.
If you are already patching applications, keeping anti-virus software up to date, monitoring and preventing access to malicious websites, then you are already screening out the majority of malicious attacks, But cybercriminals are always developing new tactics, and some will still get through to your inbox. Therefore, the end-user/employee is the last, and most important, layer of defense against phishing attempts.
That is why employee awareness training is so important. This will involve putting practices, and policies in place that promote security, and training employees to be able to identify and avoid risks.
Tips for prevention
Here are some tips for avoiding malware, provided by the Federal Trade Commission:
• Keep your security software updated. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. Set your security software, internet browser, and operating system to update automatically.
• Instead of clicking on a link in an email, type the URL of the site you want directly into your browser. Criminals send emails that appear to be from companies you know and trust. The links may look legitimate, but clicking on them could download malware or send you to a spoof site designed to steal your personal information.
• Don’t open attachments in emails unless you know who sent it and what it is. Opening attachments — even in emails that seem to be from friends or family — can install malware on your computer.
• Download and install software only from websites you know and trust. Downloading free games, file-sharing programs and customized toolbars may sound appealing, but free software can come with malware.
• Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads. For Internet Explorer, for example, use the "medium" setting at a minimum.
• Use a pop-up blocker and don't click on any links within pop-ups. If you do, you may install malware on your computer. Close pop-up windows by clicking on the "X" in the title bar.
• Resist buying software in response to unexpected pop-up messages or emails, especially ads that claim to have scanned your computer and detected malware. That's a tactic scammers use to spread malware.
• Talk about safe computing. Tell your kids that some online actions can put the computer at risk: clicking on pop-ups, downloading "free" games or programs, opening chain emails, or posting personal information.
• Back up your data regularly. Whether it's text files or photos that are important to you, back up any data that you'd want to keep in case your computer crashes.
Creating awareness with your employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need to know the basics about how to make good judgments online.
Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.
Tim Howard is president and CEO of RMON Networks, Plaistow.