A decade after the first appearance of “phishing” (the practice of infiltrating or infecting a network by sending emails disguised to look like ordinary mail from a co-worker or familiar organization), the security problem continues.
Almost exactly three years ago, data security firm RSA suffered a major breach when an employee opened an email that said it contained a spreadsheet of staff salaries. It actually contained malware that exposed some of the company’s confidential technical data. The company’s email software had already identified the message as junk, but the employee moved it out of the junk folder and opened it anyway. If your software tells you an email or any file is dangerous, it’s better to err on the side of caution and not open it, no matter how intriguing the message Subject line might be.
No organization is too large or too small to be immune the dangers of phishing despite a decade of advances in cybersecurity tools. As many readers are aware, Forbes has experienced its own phishing adventures recently, as reported by Andy Greenberg last week. Why does the problem continue to be so pervasive? Said contributor Joseph Steinberg in April of last year, “Phishing attacks utilize a technological medium for communication, but ultimately, they exploit human weaknesses, not computer vulnerabilities. Yet, the vast majority of systems intended to curb phishing … ignore the essential role that people play in the cybsersecurity ecosystem.”
Phishing is a people problem. As the problem continues to enter the news, I asked security expert Vikas Bhatia of New York’s Kalki Consulting to weigh in on the things organizations can do and that individuals can do to keep themselves save from these scams. (I originally interviewed Bhati in September about the increasing number of cyber attacks that affect small business.)
Speaking specifically about the issue of phishing, here are the top precautionary tips Bhati shared:
Where’s the email coming from you are viewing? Are you sure it’s from the person or organization it claims? There is a big emotional play here, Bhati says. People instinctively tend to trust banks, friends, and social media websites. Hackers know that if it looks like you’ve done business with them before, you’re more likely to click, Bhati says. For organizations you do business with, avoid clicking on links and alerts that arrive via email. Log into the site directly and review the message from within the site’s secure login instead. Also, beware of phishing scams that take advantage of current affairs, such as messages from individual pretending to be representatives of the Winter Olympics in Sochi inviting people to participate in viewership polls.
- Are you sure you want to download pictures? Pictures can contain malware just as written messages can (and this is why your business needs to keep your patches and Antivirus software up to date)
- Should you ever click on a link? Where does it take you? Train all members of your company to not be fooled by short URLs. Before clicking, hover over the link to see if there is a discrepancy between where you think you’re going and what the web address actually says. If there is any question—don’t click.
- Do you have administrator access to any of the company’s assets from your device? Phishing attacks generally require Admin access to company resources to run. As an extra precaution, use an account name and password that isn’t also used for administrative access for any of the company’s assets or to any of your business or personal financial accounts.
- Is your device vulnerable?Are your security patches and your core applications up to date? Be sure to make software updates and install security patches regularly.
Does your organization take these precautions? Do your employees know about them as well? As a final precaution, remember that safe computing practice is never a one-time function. Ensuring your computer is safe should be done weekly and security software should be set to update as frequently as is offered by the vendor. You can never be too safe, but being almost safe enough will invariably lead to bad news. Now would be the time for every organization to take these precautions again.