In January 2019, the Edmonton Economic Development Corporation reported losing $375,000 in a “targeted fraudulent financial transaction.” And in 2017, MacEwan University was tricked into transferring $11.8 million to a targeted scam.
What did these two scams have in common? They used phishing techniques to trick employees into handing over substantial amounts of cash to what they thought was a legitimate recipient.
But there are almost always warning signs – and we thought it would be helpful to share some tips to reduce the chance that your business finds itself “on the hook.”
Because when it comes down it, phishing relies on tricking living human beings – which means education and experience are going to be the best tools you have to avoid falling prey.
And while the aim is often financial, an emerging trend sees cybercriminals obtaining user names and passwords to gain access to business networks. After all, hacking into a network and remaining undetected is much more difficult than simply logging in with someone else’s credentials. In fact, 91% of successful data breaches started with a successful spear phishing attack.
Test employees with mock phishing drills
If you want to know the most effective way to educate your workforce and protect against phishing, this is probably the one. Because when it comes down to it, what your employees do is more important than what they’ve been told.
The idea is to create and send phony “phishing” emails to your own staff, and see how they respond. These emails should run the gamut of typical tactics – asking for a password reset, requesting a money transfer, or asking the employee to purchase gift cards or bitcoin on behalf of a manager who promises to reimburse them.
In fact, we often conduct "phishing security tests" with specialized tools to help train and educate our clients - it's part of the comprehensive security measures we offer as part of our KeeranOne package.
Use Common Sense and Consider What Is Being Asked (And Why!)
You can reduce the chance of falling victim to phishing attacks by remembering a few key things while browsing online and checking your emails.
Emails asking for confidential information should immediately raise a red flag, especially if they as for personal details or banking information. Legitimate organizations, especially your bank and the Canadian Revenue Agency, will never request this kind sensitive information via email (nor would they need to).
Also be careful of clicking links to websites in emails to a website unless you are sure it is authentic – which means reading the URL in it’s entirely. This segues into the next two tips:
Double Check Shortened Links With This Easy Trick
You should pay particularly close attention to shortened links, especially on social media. Cybercriminals often use these as a way hide a bogus URL and trick you into going onto a fake site designed to collect your data or infect your machine with malware.
But there is a way to look before you leap – simply place your mouse over the link, and the full URL of the site will pop up. If it doesn’t make sense or match up to the text in the email, do not proceed.
Browse securely with HTTPs
The official websites of reputable organizations that deal with financial transactions and sensitive information – banks, PayPal, online shopping sites, and government agencies – should be secure, which is indicated by a URL that starts with https:// and will feature a padlock” icon in the address bar.
If you don’t see this, it could indicate a spoof site masquerading as a real one, or that there is a security issue affecting the organization in question. This should be another red flag.
Instead of proceeding, open another tab and do a google search for the site or organization in question – it’s likely the real page will come up and feature HTTPS. You may even want to compare the two.
Suspicious Emails Can Be Bad For a Good Reason
Many phishing emails are blatantly obvious – think Nigerian Princes sharing inheritances and the like. They usually have awkward phrasing, typos, unprofessional punctuation, and are often overly brief and lack the letterheads, footers, and personalized greetings of authentic organizations.
However, these “mistakes” are often intentionally included as a way to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con.
If the style of the email doesn’t match other communications you’ve received from the organization or is from an organization with which you are not involved, it’s best to not engage and report it.
Beware of Threats and Deadlines Communicated Via Email
Sometimes reputable companies need you to do something urgently - For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.
However, this is an exception to the rule; usually, threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing. If you are being threatened with a fine or asked to provide a password or other information to prevent your account from being closed, it’s best to ignore the email and contact the company separately though a known and trusted channel – e.g. by phone, verified email, or even in person.
At Keeran Networks, we can help businesses stay secure through professional Managed IT Services, including comprehensive IT security measures designed to reduce the chance of phishing attacks reaching your employees, such as inbox mail filtering, robust antivirus solutions and helpful browser extensions.
If you’d like to learn more about improving workplace security and productivity, we’d be happy to hear from you.