Gone may be the days when phishing attempts were easy to identify. While malicious messages are nothing new, they’re becoming more sophisticated and harder to pick out from legitimate business communications.
A few simple clicks in one of these emails can develop into a problem that spreads quickly across digital channels and devices, but there are things that you can do to defend against phishing attacks and resources that can help.
Information technology professional Jamie Neumaier knows a lot about tackling security threats. Jamie manages an information security team that works to ensure systems at Erie Insurance stay as safe as possible. He recently answered questions about phishing scams targeting businesses and offered some useful security tips.
Q: What is phishing?
A: Phishing is malicious activity in which criminals try to gain access to user’s information, data or devices. The goal is to get you to act, and when you do, the phishers may:
- Gain access to data and information, which they can exploit.
- Install malware on your system.
- Prompt you to reveal your personal financial information for purposes of stealing money or your identity.
- Access your email and send other malicious messages to your contacts, to exploit others.
Q: Are businesses especially vulnerable to phishing scams?
A: Yes. With more work being conducted digitally, businesses of all sizes are susceptible to attacks.
Phishers can easily find your contact information online and be reasonably confident that any message they send you will be at the very least opened because you’re in a business of being responsive. The phishing messages have also grown in sophistication, so it’s easy to be convinced to visit an insecure site or download an infected file that comes in an email message that looks legitimate.
Q: How do you spot a phishing attack?
A: Phishing emails that are poorly written, offer you large amounts of money or ask you for financial assistance have been common for a long time. Most of us know not to open, click or respond to these emails.
More recently, phishing emails are being designed to look like other emails that you might receive in your inbox. They may appear to be from someone you trust like a bank, software provider, retailer or vendor, but usually, the timing of the messages is unexpected.
For instance, one common technique is for a hacker to gain access to an email account through a phishing attempt, then access the account and reply to a real email conversation with a malicious link. So, when the recipient receives this email, it looks like a continuation of an earlier conversation, but it asks the recipient to download a document.
Phishing attempts aren’t limited to email, either. Hackers now use phone numbers similar to your mobile number to call you and attempt to have you reveal sensitive information. They may send you text messages as well.
Q: How can phishing attacks be prevented?
A: In the course of day-to-day business between you, your employees, customers and other consumers in general, know what you’re working on. If you receive a message, phone call or email that is unexpected or seems even just a little bit off, verify the validity of the message before taking action. Call the person who appears to have the message and ask if he or she sent it. If the answer is no, it’s a malicious message.
Other things you can do:
- Hover your cursor over a link in an email to show the URL. If it looks suspicious, don’t click on it.
- Look at the extension on Word attachments. Most users have updated their Microsoft products so that Word documents end with .docx. If you see the antiquated .doc extension, question it.
- Use both antivirus software and an anti-malware tool. They’re often provided by common and well-known security brands such as McAfee and Norton.
- Keep your software and devices up to date. The latest updates for Microsoft Office products, third-party applications, such as Adobe Reader and Flash, and smartphone operating systems contain patches that protect against the latest security issues.
- Always back up your data, so that you can get back to business as quickly as possible should you fall victim to an attack. Test your backup processes periodically to ensure they are working as expected.
Also, be aware that if you’re hit with an attack, you may not know immediately, and the first indication may be that your Customers receive an unexpected email from you. Unfortunately, a Customer calling to verify something you sent (but didn’t intend to) could be when you know you’ve been affected.
If Customers call asking if a message is legitimate, and after you confirm whether you sent that email, offer them the same advice you use in your own business operations.
- Did the Customer expect to get that email?
- Does the link or URL direct to a legitimate, expected website address?
- Does it ask them to open a suspicious document that they didn’t expect?
Answering those questions can help you both determine whether the message is safe.
Phishing is continuously changing and evolving as perpetrators adopt new techniques and forms, so it’s essential to have a good security plan in place and watch out for emerging attacks to help protect your business. A well-trained team that knows how to spot a suspicious message can also be a great defense against phishing attacks.
Read more information about security tips:
Are You Overlooking this Top Data Breach Risk?
Two Things You Can Do Now to Speed Up Data Recovery After a Breach
Contact a trusted insurance advisor like an ERIE agent to learn about some of the smart and affordable ways to protect your business. For instance, data breach coverage for your business can help you overcome an incident in which your customers’ or employees’ nonpublic, personal information is compromised and you have to notify them of the breach. It may be purchased and added to a business insurance policy.