Are you good about keeping up to date with what’s going on security threat wise? Most of us know better than to click on a link in an email that has lots of grammatical errors and that’s telling us our bank account information needs to be verified. For a while I even thought it was amusing. It used to be fun finding the spelling errors and laughing at the naiveté of the scammers. But a couple of years ago I almost fell for one of these phishing emails. I realized it wasn’t funny at all; that it was really scary.
My PayPal account had been hacked!
The email was purportedly a PayPal receipt for a $149 EBay purchase. It looked totally authentic. There was a PayPal link that I could click to see the details of the transaction. I came so close to clicking that link. My PayPal account had been hacked! I had to find out what was going on! Exactly the reaction the scammers were hoping for—except that I did manage to pause and give it some thought before I actually clicked.
We all know better than to click on links from unknown sources however many of us keep on doing it. Hardly surprising, since scammers keep coming up with new and better ways of enticing us to give them the access they want. Businesses are perhaps even more vulnerable than individuals. Why just steal information from one person when you can get access to the credit card information of hundreds or thousands of customers?
Businesses represent high-value targets for phishers
Businesses can expect the typical phishing mass emails: the Federal Trade Commission is investigating you because of numerous consumer complaints. The Better Business Bureau has received negative information about your business. Like the PayPal scam, these emails depend on shocking the recipient into clicking a link. A good spam filter will block these spam emails so they are prevented from reaching users inboxes.
But businesses can represent high-value targets, and that means they can attract far more sophisticated attacks. Spear phishers gather information about their victims online and craft their attacks to make it appear as if the email comes from an acquaintance, coworker, or the friend of a friend. They may target hundreds of individuals at a firm, or just one.
This kind of attack can be insidious. Let’s say you went to a charity event last week, and you posted pictures on Facebook. Today you receive an email saying, “Loved talking to you at the event Thursday! Here’s the file about Chincoteague ponies I promised you.” You don’t remember this conversation, but it’s plausible—one of your passions is Chincoteague ponies—so you download the PDF. You don’t realize some scammer has crafted this email solely from reading about you online, and you don’t realize that you’ve just compromised all of your company’s information.
What can you do about email security threats like these?
The first line of defense is still to avoid opening links sent by unknown sources. Hovering over a hyperlink with your cursor will reveal the real address (though I’d be hesitant to click on any questionable links or links from unknown sources even if the real address doesn’t look suspicious).
Keep all security solutions updated. The latest software will have the latest protection as well as bug fixes. Software can’t keep up with scammers, but at least it has a fighting chance if it’s always updated. There’s an obvious problem where businesses are concerned: there are x number of employees, and not every employee is going to be equally vigilant. Holding educational meetings about security and keeping all employees informed and aware about the latest phishing exploits is one simplest things any business can do to protect itself.
Of course, having up-to-date anti-spam and anti-virus protection is critical for any business. Big company thinking is often about maximising the IT security budget, whereas SMEs are much more frugal and need to think about the customer. SMEs require fast, cost-effective and easy to manage solutions. Small businesses are faced with many of the same risks as larger firms but without the same level of resources. In this scenario planning for security is essential.