You could hire the greatest security experts to scan for vulnerabilities and put systems in place to protect your intellectual property and customer data from cyber-attacks, but a single employee can undo all of that with a few simple clicks.
It sounds hard to comprehend, but the single largest threat to your organization’s cybersecurity is your staff. All it takes is one unaware employee falling prey to a phishing email attack, and suddenly hackers have the log-in credentials and nearly free rein of your system. Phishing emails are the most common form of cyberattack because they are low-tech, inexpensive and effective.
Use these best practices to train your staff to be very wary of suspicious emails and avoiding become a phishing email victim.
Never give out your log-in credentials
It is now commonplace that no legitimate customer support representative will ask for your log-in details over the phone or email. Never give in to these requests from any email.
You should also be weary of emails that request for you to renew your log-in details and send you to a suspicious looking URL. Scammers will typically create convincing, but fake websites that are used to collect log-in information. They will pose as a bank, for instance, send an email to you stating that your log-in details have expired with a link to create new log-in details. In doing so, you inadvertently give them your username and password, allowing them to access your real bank account.
Until you know for sure that the email is legitimate, avoid clicking any links or opening any attachments in the email. Friendly anchor text like “click here” can lure you into clicking a dangerous URL. Attached documents, even PDFs, can contain malicious programs like ransomware and viruses that can wreak havoc.
Most browsers will show you the target URL of a link at the bottom left side of the browser window if you hover over it with your mouse. Be sure not to click the link though! If you have your doubts about the legitimacy of the email, using this method to scrutinize the URL might help.
If it seems suspicious, it probably is
Trust your instincts. If something feels a little off, like the email being sent during off hours or holidays, or an unusual greeting or request, it could be a phishing attempt. Be sure to report it to the relevant people in your organisation. The emails and fake websites used in phishing scams can look legitimate but on closer scrutiny you can find subtle giveaways.
- Email addresses could appear to be from a known sender but look slightly off. For example, your boss’s email may be firstname.lastname@example.org but you may find a suspicious email sent from email@example.com. Scammers can also write the “display name” as firstname.lastname@example.org but the actual address it is sent from is completely different. When viewing emails on your mobile phone, you typically only see the display name unless you expand the address information.
- If a link URL address looks weird, don’t click it. The fake bankofarnerica.com look similar to the real www.bankofamerica.com when quickly glanced at. Scammers are becoming better at making convincing looking fake websites which ask you to log-in but actually capture your credentials. When in doubt, open a different browser window and compare the link with the official site.
If an email address or URL looks lengthy and confusing, like email@example.com it is probably best to avoid it.
Unsure, double check
When in doubt it is best to reach out to the “sender” of the email via call or text to make sure they actually sent it. If your boss suddenly sends an email while on vacation asking you to transfer money to a supplier, you should try to get in touch with your boss. If it is really is urgent then they will be available to answer your message. Your boss will appreciate the precaution if it avoids the organization losing money.
Suspicious of a link? You can type the official website URL into your browser and compare the link to see if it is legitimate.
Don’t let them intimidate you
Some scammers are good at creating urgency by threatening consequences for not acting quickly, such as a penalty of some sort. They understand that a typical employee will want to please their boss or superiors by acting swiftly. It is important in this instance to not let the demands of the email message intimidate you, you need to slow down and analyze the message carefully. Do any parts of the sender’s email address, the link URLs, or the message contents itself seem suspicious or out of place? Did you get this message at two in the morning? Taking the time to think through the situation and connect the dots may prevent you and your staff from allowing a hacker entry to the system.
Use a spam filter
Filtering spam is a great way to help ensure email security, but you need to take the time to make sure it is properly configured. Spam filters won’t catch everything, but they will block a lot. Scammers send generic, unsolicited commercial emails to thousands if not millions of addresses, spam filters are great at spotting and blocking these types of emails. Leaving your newly educated staff to deal with the ones that slip through.
Install and regularly update trusted anti-virus software. Like it says on the tin, anti-virus software scans your computer regularly to remove viruses. If you don’t have one in place you are playing with fire. Many paid anti-virus programs also offer useful features like firewalls and real-time scanning for browsers and attachments.
Training your staff on how to avoid falling victim to phishing emails is an important step in protecting yourself from cyberattacks. This is a low-cost method for mitigating one of cybercrimes more prevalent forms of attacks that many unaware organizations easily fall for.
However, in the last few years cybercrime has been on the rise, especially for small and medium businesses. Save yourself from the loss of money, time, and reputation in your customer’s eyes and look into getting a proper security audit conducted for your organization. Investing in this now could save you hundreds of thousands to millions in the future.