Employees: An Easy Catch For Phishermen

Would you take offense if someone called you gullible, naïve, easy to fool? Of course you would! But have you never been duped, not even by fake jeans, fake trainers, or even a fake smile? How about that email yesterday asking you to reset your password?

Oops…

Phishing penalties

Phishing emails are a common starting point for cybercriminals. The intention is to trick individuals – your employees – into giving up passwords, usernames, and personal or company information.

After gaining entry to your business network, hackers may seek out a revenue source, or perhaps valuable information which they can sell on – customers’ details or intellectual property.

Or, for those whose aim is only to disrupt services or create disorder, your network can be made slow, unstable, or made to stop working altogether.

A guide to common phish: specimen A

An individual received an email from Evernote (well, that’s what he thought), the application used by millions of people to temporarily store notes for later reference. The email asked him to verify his email by clicking on a link and then entering his Evernote password. It seemed legit, so he went ahead as instructed…

The scammer, knowing that individuals have a tendency to use the same logins on multiple accounts, tried the ill-gotten Evernote password on his victim’s email account… Bingo!

Having rummaged around the email account, the scammer found a potential gem: details of an investment account which he subsequently tried to draw down on by emailing the relevant institution.

Luckily, the investment account manager’s suspicions were raised by the unusual communication style of the email and the alarm was raised. Result: one scammer foiled, one very lucky victim let off the hook. (And let’s hope the quick-witted account manager got mentioned in despatches.)

A guide to common phish: specimen B

An employee in the Advertising Sales Department received a text to their work mobile number saying, “I tried to call but there was no reply. Please email me at Tricky.Dicky@MonkeyBusiness.com to discuss ad rates.” [Not the actual address!]

The employee was perplexed about the lack of a registered ‘missed call’, and the request to email rather than phone, but the lure of a potential sale was too good to miss. She fired off an email and got a reply asking her to click on a link in order to read more about the client’s company… You can guess what happened next.

Safe swimming

Even if you have installed spam filters, firewalls, anti-virus and anti-spyware software to guard against malware, the ‘peopleware’ risk remains a problem: simple, common errors can be committed by otherwise intelligent employees.

Inculcate an attitude of wariness towards emails within the workforce:

• Watch out for spelling errors – this is especially important for employees whose first language is not English.
• Do not click on embedded links or pop-ups.
• Do not enter passwords and usernames as a result of receiving an email.
• Do not blindly follow up mysterious enquiries – do the homework first.
• Use unique passwords for every personal and business online account.

In addition, make sure employees create strong passwords that can’t be guessed just by looking at social media (so-called social engineering). They should be 15+ characters long, and contain random symbols, numbers and cases.

End of the line

Whether one of your employees is phished at home or at work, your business may be exposed to expensive and reputation-damaging consequences.

Whilst no one on a normal agenda would ever willingly put themselves or their employers at risk, it takes just a few seconds’ worth of distraction to get caught by a phishing attack, so teaching your employees vigilance and caution, and honing their common sense skills in recognising the hallmarks of a scam should go a long way to minimising the risk. 

If you are worried about your organization being the victim of a hacking incident, check out our free guide on How to Protect Your Company from being Hacked.