How to protect your company's employees from phishing attacks
Every weekend I write an article about my spam analysis for that week. This often includes details about phishing scams that target individuals and company employees, for the purpose of stealing your identity, logins and passwords to important web sites, private or company information, or trade secrets.
The following is a guest article sent to me by GFI Software, a leading software developer that produces network and email/messaging security solutions for SMEs. GFI is also the owner of Vipre Antivirus. This article deals with protecting your employees from falling victim to phishing scams that arrive via email.
Data, the lifeblood of every organization, is also a magnet for phishing emails and other social engineering scams. Phishing scams come in a variety of flavors but predominately are pushed through email or, recently on the increase, through social networking sites and Instant Messaging. In essence these carefully crafted emails, appearing totally legitimate, aim to trick unsuspecting employees in giving up personal or financial information which the phisher, in turn, uses to commit fraud and for personal gain.
Understanding how to identify phishing emails and scams is important because it will lead to better management of the problem and afford better protection for your network and data (before your employees thoughtlessly click on them). Below are some points to keep in mind:
- Do not trust emails with urgent requests for personal or financial information. Such emails are often near-genuine messages from banks, credit agencies, official government bodies and online vendor or payment sites. They also tend to come with a lot of dire 'warnings' -deliberately attempting to scare the recipients and force them to click on links and give out details before they have time to properly assess the veracity of the claim. Keep in mind that the legitimate senders usually rely on other means to contact you, rather than through email. If you have any doubts about the content in, or the sender of, the email, pick up the phone and speak to them directly. Better safe than sorry.
- Look out for misspelled URLs and incorrect English - A classic in phishing emails. They are great in tricking people but they are not always drafted by good writers. The content is usually peppered with grammatical areas. Phishers also make subtle changes to the spelling of website URL, for example: http://www.christinsblog.com instead of http://www.christinasblog.com. Look out for these errors.
- When receiving an email which addresses you as 'Dear customer', rather than by your first and/or last name, it is probably a scam.
- Look out for keywords, such as: 'verify your account' or 'verify your ID' - these are usually found in phishing emails.
- Always be suspicious of emails which ask you to click on links. Unless you are sure that the sender is legitimate, never click on links in emails.
The next step is how to stop phishing emails in the first place?
Read these three points defining how to stop phishing emails from succeeding in the first place:
- Employee education - It is very important that employees are well informed about the web threats out there and how they can be avoided. Your staff needs to know, for example, that opening attachments or keying personal or company information must be averted unless they are sure these are legitimate requests. It is better for employees not to take any action than to do something they'll immediately regret.
- Apply Spam Filtering and SIDF - Investing in a solid spam filtering solution is imperative. This will help you block and detect phishing scams, while allowing you to monitor your email traffic. Moreover, security experts and email companies recommend the use of SIDF (Sender ID Framework). This tests whether a particular email really does originate from its claimed source or not - meaning you will be able to verify whether an email is legitimate or if it has been sent from a forged sending address.
- Check your browser and ensure your computer is up-to-date - Make sure your machines are fully patched with the latest security updates and you have the latest version of browser installed.
- Update your antivirus regularly - most of the latest antivirus solutions have heuristic capabilities which can decrease the possibilities of new malware evading detection.
Ultimately, there is no single solution which can guarantee total protection; but a little of bit attention can reduce the risk of a malware infection and your employees giving out details, corporate or personal, to scammers and fraudsters.
Additional readings
You've Got Phish
Phishing primary cause of bogus iTunes charges
This guest post was provided by Christina Goggi on behalf of GFI Software, a leading software developer that produces network and messaging security solutions for SMEs. More information about GFI anti-spam solution can be found at http://www.gfi.com/mes
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.