Have you ever been ‘manually hijacked’? Hopefully not, but this is how Google describes the situation where an individual’s online accounts are manually and extensively exploited by a hacker.
Phishing is the usual starting point, a method (typically via email) whereby individuals are tricked into giving up valuable information such as passwords, bank account details, indeed anything that a cybercriminal might find useful.
Phish of the day or dupe du jour, Sir?
Phishing has been around for a while and, by now, people like to think they can spot a scam at 20 paces, but Google’s survey suggests otherwise: they found that fake websites worked 45% of the time and 14% of visitors actually submitted their info. Even the most blatantly fake sites deceived 3% of people – an impressive hit rate when you consider the millions of phishing emails in circulation.
And if an account owner does, belatedly, see the light it had better be sooner rather than later: in 20% of hijacked accounts, hackers were already at work within 30 minutes of a successful strike.
So how does this affect businesses?
Phishing, and its close cousin ‘social engineering’ (where personal data is used to customise a phishing message), is not just about individuals – if your employees can be tricked into giving up useful information to hackers, then there can be consequences in the workplace.
For a start, hackers know that people very often use the same logins on both personal and workplace accounts; if a hacker sends a phishing email to a personal account and manages to con someone into handing over their logins, they will use those passwords to attempt access to corporate networks. And how do they know where the individual works? By looking at LinkedIn, Facebook, Twitter…et al.
Another consideration is that employees targeted in the business environment may not be as wary of clicking on links as they are at home; at work, employees are less likely to see themselves as personal targets and may be more likely to click on seemingly business-relevant links than the ‘You could already be a millionaire!!’ tricks they see at home. The risk of their handing over company account logins is a real one.
How to avoid being caught
To protect your business from such cyberattacks, start with the standard array of software and hardware security measures: spam filters, firewalls, anti-virus and anti-spyware software. And keep them automatically updated.
The manufacturers of these products will be the first to admit that they are not 100% failsafe, and whilst these screens will suppress the bulk of phishing attempts, they cannot be solely relied upon. After all, it is the end-users themselves that make the final decision about whether to take the bait…Think ‘peopleware’ as well as malware.
Importantly, you should educate employees about the mechanisms by which critical information can be conned out of them. Explain exactly how the company can be affected by those cons and that, if it affects the company, it affects them.
Specifically, instruct employees not to click on embedded links (or pop-ups) and then enter passwords. Even if an email appears to be from a known organisation, they should type the relevant URL into the browser instead. If it’s legit, they should bookmark the link and use that each time they visit the site.
Sites that aren’t secure i.e. don’t have a padlock symbol, or which don’t start with ‘https’ should be avoided altogether…better to be suspicious-and-safe than trusting-and-tricked.
To avoid cross-contamination of personal and business accounts, make sure employees use unique passwords for every single online account they have. There’s no point in having unique passwords unless they are also strong i.e. long (15+ characters) and complex (containing symbols, numbers and a mix of case). Using a password manager helps to keep track of them all.
A stitch in time
Being ‘manually hijacked’ may not involve physical roughhousing but the downstream effects could well make a victim – be it individual or company – feel as though they’ve been put through a mangle. The real trick is to not get stitched up in the first place.