With more employees working remotely or in a hybrid environment, risks for cyber attacks are increasing. More distractions, interruptions and stress can make employees more susceptible to phishing — a common form of cyber crime that manipulates people into disclosing personal or confidential information. Whether the phishing attack takes the form of an email, phone call, text or social media message, the goal is the same: to get people to lower their defenses in order to steal money, identities or hack into an internal network.
As part of a comprehensive data privacy and information security program, conducting ongoing phishing awareness training is a proactive way to change employee behavior and keep sensitive information out of the hands of criminals. Employees should know how to recognize the different types of phishing, including:
Spear phishing is a form of phishing where fraudulent emails are sent to targeted individuals or organizations in an effort to access specific confidential information. Criminals often gather information about a target’s workplace or coworkers from social media sites or the internet and then use relevant details to craft an email that appears to be from a supervisor, colleague or manager.
The term ‘vishing’ combines voice and phishing to describe a type of fraud involving a phone call or voice message. Typically, cyber criminals disguise themselves as members of a trusted organization or pose as IT managers or consultants to get individuals to provide personal information or access to the organization’s network. Fake caller-ID information is often used to make the calls appear to be from a legitimate source.
Mobile phishing, sometimes called smishing, uses fraudulent SMS or text messages to trick individuals into giving out sensitive data, such as an account password or Social Security number. The message often includes a link that’s used to steal information or install malware on the mobile device. Smartphones are a particularly tempting target for cyber criminals because they’re commonly used for both work and personal use, and people often don’t realize that their phone can pose a cybersecurity risk at work.
10 tips to avoid getting hooked by phishing scams
- Whether it’s an email, text message, call or social media message, employees should pause and take time to think before clicking, opening or responding to any message, especially when working remotely.
- Be suspicious of all “urgent” requests or demands for immediate actions that require login credentials, payment information or sensitive data such as bank account information, credit card number and date of birth.
- Look for misspellings and odd phrases. Phishing attacks often include messages with typos or grammatical errors.
- Look out for generic greetings such as ‘dear valued member’ or ‘dear customer.’
- Don’t click on links you get on your phone unless you know the person they’re coming from; and check with the person to verify.
- Hover the cursor over a link to see the address. If it’s different from the URL in the message, it’s probably a phishing email. Look out for variations, such .com and .net.
- Retype the website address into the browser instead of clicking the link in the email. Don’t copy and paste — it can be deceptive and add risk.
- Use strong passwords and don’t reuse passwords across systems.
- Keep antivirus or other security software up to date.
- If you suspect a phishing attack, immediately contact the IT department, cyber security manager or other designated person.
Whether working remotely or onsite, all employees can benefit from phishing training — a cyber crime that hit 83% of organizations in 2020. As part of an organization’s information security program, training is an effective tool for raising employee awareness of increasingly sophisticated phishing scams and what they can do (or not do) to keep devices and networks safe.