Blog & Company News

May 5, 2017

We Need to Talk About Phishing Scams

If you’re not familiar with the term, phishing scams aim to either infect your computer with malware or to steal your personal information, including account passwords. Scammers accomplish this by sending you emails that often appear legitimate in order to get you to download a malicious attachment or to click on a link that will prompt you to provide personal or account information. Savvy internet users often feel they can detect phishing emails -- many of these phishing attempts, of course, are obviously fake and are properly ignored; however, scammers are getting smarter and regularly trick even technology experienced users. A simple Google News search for “phishing” will provide you with plenty of recent examples of the damage these scams can cause. More troubling, it has been reported that a new phishing scam is launched every 30 seconds. Organizations need to be particularly vigilant when it comes to the dangers of phishing scams, and need to take regular steps to ensure employees do not fall victim -- potentially putting your clients' data, and your organization's reputation, at risk. Here are three simple steps your organization can take today. Training It is important that staff receive regular training and reminders -- at least quarterly, but even as much as monthly -- about phishing scams and how to avoid falling prey to them. Some of the basics include:
  • All employees need to understand what phishing emails are, and common tricks they use to trick people.
  • Employees need to be aware of any emails from senders they do not know; and even if those emails are from known senders, to pay attention to signs that the email message may be fake or spoofed to look like it came from a co-worker. Employees should inspect the actual email address the message came from to ensure it did, in fact, come from that individual.
  • Employees should never download attachments or click on links from suspicious messages.
  Standard Operating Procedure (SOP) Your organization should have an SOP to report any suspected or detected phishing emails, especially if an employee believes they inadvertently downloaded an attachment or visited a link from a suspicious email. For cases where phishing emails include malware downloads, reporting these instances to your I.T. department should be swift so they can take proper steps to mitigate the threat. Multi-Factor Authentication When possible, critical systems -- particularly those that host sensitive data, including member data -- should incorporate multi-factor authentication. Mult-factor authentication involves having a secondary required step to authenticate a user before logging into a system. This ensures that, even if an account password is stolen via a phishing scam, the thief would not be able to log into the system with the password alone. You will need to check with your software vendors or developers to see if this capability is supported, or if the feature can be developed. While there is no cut and dry method to completely avoid the threat of an employees falling victims to phishing scams, taking these precautions could help your organization avoid an expensive mistake later on.