Phishing schemes are getting more personalized and more targeted—and it’s up to both you and your employees to know how to deal with them when they occur. Read on for a few tactics for improving your odds of staying safe from data or identity theft.
Next time you get an email from the boss, you might want to triple-check that address.
Recently, a study from the anti-phishing firm Inky [registration required] found that 12 percent of phishing attacks involved “VIP impersonations,” or messages that looked like they were from top executives at an organization—a highly targeted form of attack that turns a top executive’s name into a Trojan horse. Often, these schemes involve real-time emails from someone pretending to be a CEO who is looking to acquire information from a lower-level employee.
The result leads to direct engagement between the scammer and the victim—and to a potential loss of sensitive data.
This kind of targeted attack—along with similar ones cited by Inky such as corporate email spoofing and sender forgery—is on the rise, and if your employees aren’t aware of what it looks like, it could lead to a world of hurt for both them and your organization. A few things to keep in mind when it comes to dealing with phishing emails.
Be careful with what information you share online. Speaking to TechHQ, Inky founder and CEO Dave Baggett noted that automated scraping was likely an issue at play in phishing attacks. “Attackers are clearly scraping data from sites like LinkedIn to target specific VIPs; we can tell this is automated scraping of some sort because they’ll sometimes target ex-employees by accident,” Baggett told the website. For associations, one strategy that could help with this problem might involve minimizing public access to pages such as staff directories, which can be easily scraped and leave information in a vulnerable place.
Keep up to date on new tactics. There long has been a reputation among email schemes taking on a certain offbeat tenor—think, for example, Nigerian 419 scams that clearly wouldn’t fool the average person. The problem is that scams have not remained in stasis. One such scam highlighted in Inky’s study involves a message with a user’s password in the subject line and a threat that the scammer will release sensitive images of the user if he or she doesn’t pay them in cryptocurrency. It’s an automated scheme based on the use of leaked password databases, but if a person hasn’t been following the news, they may not know that. Be sure to arm your employees with information so they aren’t tricked.
Bring some training on board. In an interview last year with Associations Now, Gary Grabowski, vice president of Summit Business Technologies, argued that training programs were necessary, in part because what seems like common sense to one person may actually be an oversight for someone else. Training, he says, creates a baseline. “Focus on educating your users about commonsense security by making them aware of what the commonsense elements are,” he said.