Would you know a phishing attack if you saw one in an e-mail? Attempts to access sensitive and personal data within an organization are accomplished through this simple but damaging act. Are your employees trained to be on alert for suspicious e-mails, and do they know what to do if they receive one? Here are some answers to frequently asked questions to kick off your employee training on phishing attacks within your organization.
What is phishing?
Phishing is the use of an electronic communication to attempt to trick someone into providing sensitive information (e.g., user name and password, payment card details) by clicking on a link or opening a file that introduces malware.
Why should I be concerned about phishing?
A phishing attack disguised as an e-mail can seem innocuous at first and even valid if the recipient knows the sender or topic. A recipient of a suspicious e-mail may think that simply deleting it is sufficient; however, that step alone may not be enough to stop the damage caused by clicking on a link in the e-mail or forwarding it within the organization. Phishing attacks can cause damage by allowing unauthorized access to confidential information, jeopardizing user credentials, and introducing malware into the system environment. Phishing can also be used as a stepping stone for other attacks.
How are phishing e-mails still a concern?
The truth is, scammers are smarter than ever at creating a seemingly authentic work-related or personal e-mail that increases the chance that a preoccupied reader or rushed recipient might click on the attached file or link after reading a few lines. Google researched the phenomenon of users falling prey to phishing attacks and found that fake websites worked 45 percent of the time, and 14 percent of the time users entered their credentials. [Source: Google Online Security Blog, Behind enemy lines in our war on account hijackers (November 2014)]
Phishing e-mails may appear to come from a company you do business with, or from a coworker or friend. In some instances hackers send the communications from a hacked user to all contacts in the user’s e-mail address book. A recipient who recognizes the sender’s name and e-mail address as a personal friend or work colleague is likely to not hesitate in opening the communication and trusting the content.
How can I determine that an electronic communication is a phishing attack?
The first step is to understand that phishing is a part of the reality of cyber communications. A phishing message may have one or more of these components: contains a misleading URL (Ex: firstname.lastname@example.org), contains poor spelling or grammar, is unsolicited, includes suspicious attachments (Ex: *.scr, *.bat, or *.exe.), or something just looks off. However, some phishing e-mails can look very convincing. Therefore, it is important to consider whether the person or organization contacting you has a legitimate need for the information requested.
Here are some tips to help you protect yourself and your organization from phishing e-mails:
- Be suspicious of requests for secrecy, promises of financial rewards, or pressure to take action quickly.
- Never provide personal information, such as passwords, social security numbers, banking or payroll information through e-mail.
- If you receive an e-mail asking you to update your password or provide other personal information, open your browser and navigate to the website rather than clicking a link within the e-mail message.
- If something seems off, verify via other channels that you are communicating with your legitimate intended recipient or sender.
- Notify your IT department of any suspicious emails you receive. If just one person falls prey to a phishing attack, they put the entire organization at risk.
What are some steps our organization can take to minimize exposure to phishing attacks?
While it may be difficult to completely avoid a phishing attack, an organization can take some simple steps to increase awareness among employees and board members:
- Train staff and employees to be vigilant for suspicious communications and provide examples or screen shots of phishing e-mails
- Address proper e-mail protocol with users, such as deletion of e-mails, spam, and forward verses reply.
- Update or increase IT and Financial security procedures and 2-step verification processes.
- Encourage staff to exercise caution with posts to social media and company websites.
The easiest and most effective step an organization can take to minimize the risk of exposure from a phishing attack is to train new and current employees, including board members, on the signs of suspicious electronic communications. Conducting anti-phishing training at least annually, sending reminders to employees when a suspicious e-mail is detected, or disseminating electronic tips (e-tips) to help employees avoid opening suspicious e-mails can keep employees aware and further strengthen the cybersecurity of the organization.
Helpful resources for anti-phishing training include:
What should we do if we suspect we have been a victim of a phishing attack?
To report a Privacy & Information Security claim or for questions about the coverage, please email us or call Marcy Barker, Claims Manager, at 855.295.8344. Members of the Fund’s Property and/or Liability programs already have Privacy & Information Security coverage at no additional cost. The coverage includes access to one of the world’s premier providers of data breach response services, the Beazley Group.
Editor's note: This article was originally published in September 2015 and has been updated for accuracy and comprehensiveness.