Compliance training is taking on new relevance as organizations and their employees adapt to evolving changes caused by COVID-19. Unfortunately, criminals are exploiting the pandemic with sophisticated phishing scams that attempt to trick people into divulging personal and business data, sending in money or downloading malware attachments. Training employees on information security and how to keep confidential data out of the hands of cyber criminals has never been more important.
What is social engineering and phishing?
Phishing is a form of social engineering — the concept of exploiting human psychology to manipulate people into sharing personal or other confidential information via emails, texts, phone calls and social media. For example, criminals impersonating tech support staff trick employees into providing their passwords. Spear phishing is a form of phishing where fraudulent emails are sent to targeted individuals or organizations in an effort to access specific confidential data.
The Federal Trade Commission (FTC) says phishing emails and text messages often tell a story to deceive people into clicking on a link or opening an attachment by:
- saying they’ve noticed some suspicious activity or log-in attempts
- claiming there’s a problem with an account or payment information
- requesting confirmation of personal information
- including a fake invoice
- wanting the recipient to click on a link to make a payment
- saying the recipient is eligible to register for a government refund
- offering a coupon for free stuff
As part of an organization’s ongoing cyber security training and communication, these 10 tips can help raise awareness of phishing attacks, change employee behavior and keep information security top of mind:
1. Think before opening emails from unknown senders.
2. Be wary of all attachments and scan them before opening.
3. Look for misspellings and poor grammar in emails. These are red flags for phishing scams.
4. Confirm that the name and the email address are consistent.
5. Hover the cursor over a link to see the address. If it’s different from the URL in the message, it’s probably a phishing email. Look out for variations, such .com and .net.
6. Retype the website address into the browser instead of clicking the link in the email. Do not copy and paste — it can be deceptive and add risk.
7. Be suspicious of messages that contain threats, request urgent action or create fear.
8. Don’t give out passwords or other personal information to anyone via email.
9. Be aware of fraudulent links posted on social media that compromise and infect the individual’s social media account and network.
10. Report any suspicious emails to a manager or the IT department.
It really comes down to being cautious and careful. Careful before opening an email from an unfamiliar sender, and extra careful before clicking a link or opening an attachment. And when in doubt, promptly contact a supervisor or IT.
Especially during these unsettling times, cyber criminals are unleashing creative ways to get people to divulge information and compromise systems. Focusing on the human element of cyber security is as essential as keeping anti-virus software and security settings up to date. Whether working from home or onsite, employees can benefit from regular training on how to protect confidential and sensitive data and how to recognize and report phishing emails and other scams.