There are people who behave in noble, admirable ways. These heroes lift less fortunate souls from difficult circumstances, stay positive and focus on doing the right thing, even when it’s a challenge. These exemplars of humanity’s best qualities are an inspiration to us all.
On the opposite end of the spectrum, we have the hackers who send phishing emails.
Not content with what they have, hackers use phishing as way to further their nefarious schemes. As an IT professional or business owner, you’re likely aware of the risk that phishing poses to your organization, and you’ve no doubt communicated that to your team members on countless occasions.
If not, you'll learn about phishing in this blog post and how to protect yourself and your organization, especially in today's climate of remote work.
Phishing is a form of cybercrime. It happens when someone pretending to be a legitimate person or institution gets an unsuspecting target to click on a fishy email, text, or other communication. The goal of this is to get the unwitting victim to hand over credentials or other sensitive information. Sometimes, hackers will use that information and hold it for ransom. Other times, they'll use it to access your sensitive information and do damage, or sell your information to another nefarious 3rd party.
If you’ve ever watched a nature documentary, you know that getting separated from the herd is bad news. A single wildebeest falls behind to check out an interesting patch of grass, and just like that, the lions are on them and it’s all over.
Similarly, cybercriminals try to isolate members of your organization through phishing. They know that many companies have employees working remotely now, and they may send communications designed to look like remote work instructions for a specific employee.
Because these are extraordinary times, an unusual email might not seem as out of place as it normally would. Make sure all members of your organization know what official channels communications about remote work will come through and give them the details they need to distinguish legitimate company emails from phishing attempts.
In many ways, phishing emails are not unlike marketing emails on their surface. And, as with marketing, phishing comes with a call to action, a short enticement designed to get a user to click a link, which will often download malicious software. Some tactics to expect include:
Emails that look like they are from legitimate institutions. Phishers love to play on emotion. They want to get members of your organization to panic just long enough to click on their email. For example, during the height of the Covid pandemic, hackers used subject lines like, “An Urgent Warning From the CDC” or “CDC Update On COVID-19” or even a subtle one like “CDC Guidance for Businesses Working Remotely Due to the Coronavirus" to entice people to click on the emails.
Posing as coworkers asking for donations. These emails may appear to be sent by a member of your organization and could appear to be a link to a GoFundMe page, or a similar site, requesting donations for someone in your organization. Urge employees to avoid sending these kinds of communications and tell employees never to open these kinds of emails, even if they appear to be legitimate.
Sending communications requesting private information for expense purposes. Many companies offer employees an expense account to take care of their business needs. Phishers are aware of this and may send communications requesting bank account information for reimbursement purposes. Make sure your employees understand your legitimate expensing process and that they know when and how your company will communicate with them regarding expenses and reimbursements.
Pretending to be you. Phishers may send emails that appear to be from your IT department. These emails may have subject lines like, “Regarding Your VPN Access,” or “A Technical Issue With Your Remote Connection.” Some of your employees might not know what legitimate IT communications look like. Explain your policies to them and use a consistent approach to communicating with employees, so they know what to expect.
Based on the examples above, it’s clear that phishers are willing to try just about anything to compromise your company’s security. Looking at all the potential avenues of attack may seem overwhelming, but with clear, open communication to employees, you can keep everyone on the same page and secure from phishing attempts.
Crafting organization-specific communications about phishing is certainly wise. But you can also direct employees to more generalized advice about avoiding phishing scams, such as this collection of tips from the Federal Trade Commission (FTC). The more employees know about phishing tactics and scams in general, the less likely they are to fall prey to them.
Above all else, be proactive about confronting the threats posed by phishing. It’s the best way to thwart cybercriminals.