Section -4

A Good Day of Phishing Could Mean a Bad Day for You

Here’s a scary fact if you are responsible for your company’s security: Some phishing emails encourage a nearly 100 percent open rate.

Apparently, emails are irresistible when they pretend to inform recipients of a new evacuation plan for their workplace. The same is true for fake password update alerts. According to Wombat Security’s annual “State of the Phish” report, users open virtually every one of these type of scam notices.

What happens when one of your employees clicks on that authoritative-sounding message? They begin on a path that could lead to the theft of their personal information or worse – the company could lose valuable, even crucial, data.
Train and then train some more
You can’t stop the criminal activities of those trying to infiltrate your company. But training has proven effective in helping your employees recognize phishing scams and to report them.

Happily, it is not necessary to make everyone an IT specialist to avoid trouble. It’s enough to educate them on the latest scams and how to look for telltale signs that certain emails are likely to be trouble.

The frequency of training is key.

Requiring educational sessions twice a year is helpful to remind your staff about steps you expect them to take to protect themselves and the company. The training doesn’t have to be in a classroom. It can be online, with a required test at the end. But frequent education of any type addresses turnover, job reassignments, and just plain forgetfulness.
Reinforcing common sense
Much of the training will remind users of what they already know:
• Emails with generic greetings like “Dear consumer,” should not be trusted (although phishing emails are now being addressed more often to a specific user).
• Don’t click on links or attachments from senders who aren’t familiar to you.
• You should call a known sender when you receive an attachment or scan that you aren’t expecting.
• Offers over the internet are really, truly, too good to be true.
• Never enter personal or proprietary company information into an email or a pop-up screen, even if you think you know the sender.

Companies have also begun using another tool, sending phishing “tests” to their employees to see who is opening them, thus requiring additional individual training.

More employers are requiring two-factor authentication to prevent hackers from gaining access if they have obtained a user’s credentials. And several programs are available to both block phishing and to clean up after an attack, but criminals are constantly making their attacks more sophisticated with updated tactics. Email phishing is still the most popular, but phishing via text messages and other means of communications are becoming more common, and requiring more protections.
Be continuously alert
That’s why training is a crucial component of your defense. As the Wombat study said, more than half of IT security specialists reported they were able to reduce successful phishing attacks as a result of training.

It takes the misjudgment of just one employee to put your company at risk, and although only a small percentage of the more than 200 billion emails sent each day are being used for criminal purposes, the sheer volume will continue to pose a large risk to your firm.