Unlike most IT security threats, phishing scams attack the human element instead of the machine element. Phishing scams try to bait a person into exposing confidential information by posing as a legitimate, reputable source, typically by email or phone. Most often, the culprits seek users’ account login details, credit card numbers, social security numbers, and other personal information.
By properly educating your employees and following a handful of best practices, your business can significantly reduce the threat of phishing scams.
1. Treat every request for information—whether by email, phone, or Instant Message—like a phishing scam until proven otherwise.
Meeting any request for confidential information with skepticism, regardless of how trivial it sounds, is your employees’ best defense against phishing scams. Even innocent information like a person’s first car, pet’s name, or birthday can be used to steal accounts through password recovery. Generally speaking, no professional organization or company would ever ask for personal information when contacting you—so any information request of this type is more likely to be fraudulent than real.
2. Familiarize your staff with scheduled emails for password resets.
Many companies use regularly scheduled password reset policies as a security measure; however, hackers can exploit this system to get people to hand over account login information. Your company’s best protection in this case is to familiarize employees with which services actually send out these requests. If possible, enable 2-step verification services, or avoid scheduled password changes altogether.
3. Never click a “reset password” link.
One of the easiest ways a hacker can steal information is to include a spoofed link claiming to be a password reset page that leads to a fake website. These links typically look exactly like the legitimate reset page and will take the “account name” and “old password” information the person enters. If you need to reset an account or update your information, navigate to the site manually and skip these links.
4. Never send credentials over email or phone in communication that you did not initiate.
Many sites utilize legitimate password reset emails and phone calls; however, a person has to go to the site and request it. If someone did not request a password reset, any form of contact to do so should be met with extreme skepticism. If employees believe there is a problem, they should cease the current contact thread and initiate a new one directly from the site in question.
5. Don’t give in to fear.
One common phishing scam emulates online retailers, claiming they will cancel an order because a person’s credit card information is “incorrect.” These scams rely on a sense of urgency to get a potential victim to hand over information without stopping to think. If the account really is compromised, chances are the damage is already done.
6. Report suspected phishing attempts.
Phishing attacks like this typically target more than one person in an organization, whether it be from a “mass-scale” or “spear” phishing attack. Therefore, it’s safe to assume that if one person receives a phishing email, others will, too—so contact both your company’s IT department and the organization the hackers were imitating.
If your business is looking to improve its IT security practices and avoid falling victim to phishing scams and other attacks, contact the experts at MPA Networks for help today.