A report published by the U.S. Department of Justice last year revealed at least 4,000 ransomware attacks had occurred every day since the beginning of 2016. This represents a fourfold increase over the previous year.
In the overwhelming majority of cases, particularly in the workplace, ransomware ends up on a computer by way of a phishing scam. These attacks, whereby cybercriminals attempt to acquire sensitive information using social engineering tactics, end up costing companies millions of dollars.
How Does a Phishing Scam Work?
Phishing relies on social engineering to dupe victims into giving away sensitive information. Almost all these scams arrive by email, masquerading as being from legitimate organizations, such as banks or other companies. The earliest variation of these attacks is the Nigerian Prince scam which, surprisingly, fooled thousands of people into sending money to an imaginary monarch. Cybercriminals will send out these messages en-mass in the hope that a considerable percentage of people will fall for them.
Of course, not many people would be foolish enough to reveal things like financial or login information to just anyone, so phishing scams need to employ clever social engineering tactics to trick their victims. As such, they often appear to be branded, using the name and logo of a genuine organization. To make matters worse, they also use spoofed email addresses and obfuscate any links.
To further help mask their nefarious intentions, more sophisticated scammers may take advantage of various security holes in email clients. Email address spoofing is one of the most common methods, and some email servers even allow third parties to connect directly to them, making it easier than ever for scammers to make their emails look as though they’re coming from a legitimate source.
How to Train Your Employees to Identify Phishing Scams
The first thing to do is ensure that your company has taken all the recommended technical measures to protect itself from data breaches of any kind. Unfortunately, however, there’s no such thing as a system that’s 100% effective, so you should never rely on it entirely. As such, there’s no substitute for educating your employees on the risks involved, particularly when it comes to phishing scams.
One of the best ways to start raising awareness in your organization is to provide training handouts that exemplify common types of phishing scams your employees need to be on the lookout for. Fortunately, most phishing scams should be immediately obvious to those who are adequately informed, and there are some common signs that an email or website comes from a suspicious source:
- No legitimate organization will ever, under any circumstances, ask you to provide financial or login information over email. If an email prompts you to divulge any kind of confidential information, you can be sure it’s a scam.
- One of the most common social engineering tactics is to instill fear or urgency in the victim. Such emails may claim that your computer is infected with a virus or that an account will be closed if you don’t take immediate action.
- An email that purports to be a confidential or private request for the recipient’s eyes only is immediately suspicious. Scammers use this tactic to try to prevent you from verifying the email with anyone else.
- Many phishing scams contain an attachment which, when downloaded and executed, turns out to be malicious. Oftentimes, the attachment will be ransomware and may encrypt important files until you pay the ransom.
- More sophisticated phishing scams can mask their tracks quite well, but they can usually be revealed by looking for any suspicious information in message headers and by tracing the IP address the email was sent from.
- Any awkward wording, spelling or grammar mistakes should raise red flags instantly. Many scammers happen to have a poor command of English and, sometimes, emails may even be machine-translated.
- If a sender’s email address or any links included in the email don’t match perfectly with legitimate ones, you can be sure that the email is a scam. Always be on the lookout for any errant letters or dots.
- Spoofing the ‘from’ address is extremely easy. After all, people who manage multiple email addresses often use the field for legitimate purposes. From a security perspective, however, you should always disregard the ‘from’ field.
Once you’ve educated your employees on the common characteristics of phishing emails, you’ll also want to have a response plan in place to ensure that suspicious emails are handled appropriately. Most importantly, potential victims should never click on any links or download any attachments from unsolicited or unexpected emails. Employees should also be obligated to inform their supervisors and colleagues immediately about any suspicious content.
Raising awareness of the various security threats out there is crucial when it comes to safeguarding your business from costly data breaches. Nonetheless, an informed workplace should always complement a trusted IT security solution, such as a managed security service. Contact us today to find out how we can help you keep your business safer.