Some hacks require intense technical know-how, but the majority of data breaches are relatively low-tech and low-effort. Even monumental hacks like the DNC email attack were the result of simple spear-phishing campaigns. Just two days after sending a phishy login email to Clinton Campaign Chairman John Podesta, Russian hackers had gained access to a treasure trove of over 50,000 emails.
The Damage Done
Phishing sounds like a relatively harmless practice, but it’s the technique behind some of the most ruthless data breaches, including attacks on J.P. Morgan Chase, Target, eBay, Anthem, Sony Pictures, the White House and the Pentagon.
Affecting industries as diverse as retail and banking, the hackers behind these attacks are motivated by profit, state secrets, wire fraud and even terrorism.
How It Starts
Spear-phishing emails are designed to look harmless. Attackers engineer them to resemble emails that could come from a trusted source — a friend or coworker. But once they get the keys to the kingdom, hackers gain access to a wealth of sensitive information like financial data, email communication and more.
And while the emails that targets receive appear benign, successful spear-phishers are far more sophisticated than spammers. They research their targets to craft messages that will convince them to click. This process involves probing their social networks and the rosters on their company websites.
Phishing for Profit
By most accounts, these socially engineered attacks are quite successful. A recent survey found that 38% of cyber-attacks in the last year came from phishing.
Even more alarming, 91% of advanced persistent threat attacks (APT) start with a spear-phishing email. And 94% of victims are infected through a malicious attachment like a remote access trojan that activates when the subject opens an attached file.
So, how do you keep your company safe from phishing in a world where even government entities and Fortune 500’s can fall victim? Check out these 12 tried-and-true ways to stay safe from phishing scams.
Know Your Attacker
While always socially engineered, phishing comes in two forms — malicious emails that get you to click on a malware-infested attachment, or a link to a fake website that convinces you to enter your username and password. The more you know about how hackers attack, the safer you’ll be.
Watch Your URLs
Most hackers are too lazy to write malicious code that can fool antivirus software. As a result, fraudsters who want to make a quick buck turn to phishing scams.
In most instances, hackers create replicas of secure websites. Fooled by legitimate-looking corporate logos, users submit usernames and passwords to these fake sites and hackers have a field day with their data.
To avoid this unfortunate situation, type in web addresses directly, and look out for strange or suspicious URLs that could indicate you’ve reached a fake website. And always make sure you’re on a website with an HTTPS address.
A staggering 100,000 new phishing attacks are reported every month. But those who receive regular anti-phishing education are much more likely to spot and avoid threats. Educate your employees through mock phishing scenarios and develop security policies dedicated to phishing awareness and the creation of complex passwords.
Beware of Sender
Whenever you get a suspicious email, it’s important to scrutinize the email address. Does it look strange or unfamiliar? Apple would never send a corporate email from firstname.lastname@example.org, and that means you shouldn’t click on it either.
Think Before You Click
Smart scammers prey on familiarity and emotion, so if something feels off, don’t click. A healthy skepticism about clicking on links and downloading attachments can save you — and your data — lots of trouble. If you get a suspicious email from a company that requires immediate action, visit the company’s website and log in directly.
Upgrade Your Toolbar
Available on most browsers, anti-phishing toolbars run checks on websites you’re browsing and compares them to known phishing sites. These free tools will alert you whenever you stumble on a malicious site. Pop-up blockers can also help you thwart phishing attacks. If you do encounter a pop-up, carefully click the “x” at the top of the window. Clicking anywhere else could take you to a malicious site.
Protect Your Personal Info
Avoid sharing personal or financial information on the internet that could be used in socially engineered phishing attacks. And never enter confidential information into a weblink you receive via email. When logging in, always visit the website directly.
Protect Your Resources
To stay safe in the event of an attack, keep all corporate and personal files encrypted and up to date. These protections are especially important for employees who are telecommuting.
Get Smart Software
Updated operating systems and antivirus programs offer the best protection against malware. When current, these programs protect your devices by guarding against the latest viruses and phishing attacks. They also scan every file that enters your system — preventing anything malicious from damaging your system.
Hackers can operate undetected for a while. That’s why it’s important to stay up to date on your accounts by regularly checking your bank statements and account information, and updating your password on a monthly basis.
Create a Firewall
For maximum protection, install a desktop firewall to keep intruders from infiltrating your software, and a network firewall to keep fraudsters out of your devices and your network. With these tools in place, you can dramatically cut down on hacking threats.
Safeguard Your Data
Sometimes, even security experts fall victim to sophisticated phishing scams. That’s why it’s important to safeguard your most precious data. With two-factor identification, hackers can’t breach the additional security safeguards and infiltrate your accounts. Additionally, use a password manager to store complex, hard-to-hack passwords.
Better With Bluefin
While Bluefin can’t protect you from phishing scams, our advanced technology ensures that credit and debit cards are encrypted the moment they enter a payment system. To find out how our P2PE and tokenization services protect your organization from a data breach, contact a Bluefin representative today.