Four steps every business should take to arm themselves and their users against phishing attacks.
You may be gone fishin’ for an afternoon, but phishing could be happening every day in your office.
Phishing is the act of sending fraud emails pretending to be from reputable companies in order to capture information like passwords and credit card numbers, and it has affected 85% of all organizations.
Given the prevalence of phishing, the following steps are important to protect your business and your customers from phishing attacks:
Phishing is a somewhat jargony term, so take the time to periodically explain it to your customers and your employees. Help them recognize the following red flags for phishing emails:
- Poorly written
- Offers money
- Asks for financial assistance
- Uses tactic messaging
- Comes from a strange email address
- Arrives at an unexpected time or has out-of-character messaging from “known” senders (aka spear phishing attacks)
Advise employees (and customers) to think twice before clicking, downloading or replying with information. Examine URLs before clicking them, and approach any email that asks for a password, account number or other personal data with skepticism.
By simply hovering your mouse over the sender’s email address or any embedded links in the email, you can identify the path of the sender or destination to better determine if the message is legitimate.
Members of your team should ask your IT team or provider to review emails when in doubt. Clients who are suspicious of a phishing attempt should be encouraged to reach out to their contact to confirm the email is legitimate.
Report attacks and notify customers.
If you see something, say something. If you become aware your business is being impersonated as part of a phishing scam, the FTC recommends contacting law enforcement and notifying your customers immediately. Direct any consumers who may have been victims of identity theft to identitytheft.gov.
Update software and security.
By keeping updated software and using sound security practices, phishing attempts can often be nipped in the bud. Every computer in your organization should be using the latest versions of all software, including internet browsers, as hackers often exploit vulnerabilities that new updates fix. (But be aware of fake update options. If auto-updates are offered, turn those on.)
Secure passwords also play a role in preventing fraud. Best password practices include:
- Using complex passphrases, rather than simple passwords
- Changing passwords regularly (once every one to two months)
- Enabling two-factor authentication
Finally, using a PCI-compliant partner (like yours truly) will help you protect your customers’ card data.
By running an internal phishing simulation, you can get a gauge for how well (or not) your team will handle phishing and spear phishing attacks. Use this as another opportunity to provide education to your team.
With proper education and solid security protocols, you’ll greatly reduce your risk of falling prey to phishing attacks—leaving more time for you to enjoy the fun kind of fishing.