Is training employees on information security on your year-end checklist? It should be. With more people working from home due to COVID-19, and the added distractions of the holiday season, it’s critical that employees know how to keep data and devices secure and stay alert to phishing attacks.
Phishing is a form of social engineering — a concept that plays on human emotions to manipulate people into sharing personal or other confidential information via emails, text messages (smishing), phone calls (voice phishing or vishing) and social media. Spear phishing is a scam that sends emails to targeted individuals or organizations in an effort to access specific confidential data.
Since the global pandemic, phishing emails have increased significantly, according to experts. The Federal Trade Commission (FTC), which recently posted information on avoiding vaccine-related scams, says phishing emails and text messages often deceive people into clicking on a link or opening an attachment by creating a sense of urgency or posing as a trusted company or source.
For example, phishing emails or texts might:
- Say they’ve noticed some suspicious activity or log-in attempts
- Claim there’s a problem with an account or payment information
- Require individuals to confirm some personal information
- Include a fake invoice for products or services that were never ordered
- Include an attachment that installs malware on computers
10 Tips To Avoid Phishing Scams
Whether employees are working from home, onsite or on the road, staying vigilant to sophisticated cyber scams is everyone’s responsibility. These 10 tips can help to raise awareness of phishing attacks, change employee behavior and keep information security top of mind:
- Think before opening emails from unknown senders.
- Don’t open attachments from unknown sources. Be wary of all attachments and scan them before opening.
- Look for misspellings and poor grammar in emails. These are red flags for phishing scams.
- Confirm that the name and the email address are consistent.
- Hover the cursor over a link to see the address. If it’s different from the URL in the message, it’s probably a phishing email. Look out for variations, such as .com and .net.
- Retype the website address into a browser instead of clicking the link in the email. Don’t copy and paste — it can be deceptive and add risk.
- Be suspicious of messages that contain threats, request urgent action or create fear.
- Don’t give out passwords or other personal information to anyone via email.
- Be aware of fraudulent links posted on social media that compromise and infect the individual’s social media account and network.
- Report any suspicious emails, texts or calls to a manager or the IT department.
Among the many challenges facing organizations this year is avoiding data breaches and keeping employees on alert for phishing emails and other scams. As part of a multipronged strategy, information security training is an essential step in raising awareness of the different types of security threats to organizations, and reinforcing what employees need to know and do to keep data and devices safe and out of the hands of criminals.