Organizations are noticing an increase in targeted phishing attacks. Here’s how to prepare your staff.
If you’ve noticed an increase in phishing attacks lately—in your email inbox, on your social media profiles, and especially as texts to your cell phone—you’re not alone.
Back in September, Security Magazine posted an article describing research that showed a rise in targeted attacks since the onset of the pandemic. Since then, more companies have reported spikes in fraudulent activity, including more nuanced scams that are harder for even wary employees to catch.
It’s no mystery as to why these attacks are growing more common. The Covid-19 pandemic pushed many employees online abruptly, before organizations had time to strengthen their IT systems to match. The resultant confusion was threefold.
First, the rapid scaling of remote systems created natural weaknesses in IT security as businesses adapted makeshift solutions without fully vetting or securing them.
Second, the adoption of new online systems led to employees being barraged with a whole new set of online tools, each with their account names and passwords. Not only were these employees less likely to create strong passwords under these circumstances, it was also easier to trick even the weariest among them into giving up credentials using clever phishing tactics.
And finally, many of the employees to move online were technological holdouts, people who did not consider themselves computer savvy and felt uncomfortable in their new digital environment.
In short, confusing times make for confused employees, and confused employees are easier to exploit. However, this does not mean businesses are without recourse. Here are four steps you should take to secure your business.
1. Educate yourself and your employees.
There’s a disconnect in the business world between the reality of phishing scams, and what employees, managers, and executives expect. For instance, many of us are familiar with clumsy attempts that are comically easy to spot. Many employees and executives alike also believe that only high-profile members of an organization are targeted by phishing attempts.
In reality, phishing attacks often cast a wide net in order to identify the weak links in an organization. Once they gain access from a lower-level employee, they can then target someone higher up the chain. The more information they gather from lower level employees, the more sophisticated their attempts can become—including disguised email names, corporate sign-offs, or references to coworkers that give their emails an air of credibility.
Organizations need to invest in security training across the board to ensure that all employees are aware of these attacks—and know when and how to report them. Furthermore, make it a part of your business culture to have employees verify a request for information any time it seems even slightly unusual. Employees should have no hesitation about sending a confirmation text to their manager, or about calling a coworker to double check the authenticity of an email.
2. Set up 2FA to add additional security to your accounts.
Phishing attacks are designed to gain personal information from the victim, most commonly as part of an identity theft operation. However, where corporate attacks are concerned, the more likely goal is to acquire access to internal systems through an employee’s username and password.
In this case, businesses can forestall even successful phishing attacks by enabling two-factor authentication. This means that, even if an employee gives away account information, the attacker won’t be able to gain access without the additional sign in code, and employees will be notified of the attempted sign in when it happens.
3. Install a firewall to block suspicious downloads.
Phishing attacks can also be used to trick users into downloading viruses disguised as work files. Imagine one of your employees receiving an email from an address that looks like their manager, because the phisher has used email spoofing techniques to show the manager’s name and email address. The employee opens the email, which includes a download link. When the employee clicks on the link, it downloads a virus which is now in your network.
Firewall protections can block this by preventing downloads of suspicious files. Even if an employee falls for the initial ploy, they can keep the damage from going too far.
4. Invest in access management software.
Finally, businesses should invest in enterprise level access management software, such as that provided by Microsoft 365 Enterprise Mobility + Security, as an added layer of protection against security threats of all time. The identity and access management services offered by Microsoft not only make it easier for organizations to set up responsive access management tools, reducing the burden of employees to have to constantly sign-in and verify every account that they use, it can also identify unauthorized access attempts and spot suspicious activity.
These are just a few of the tools Microsoft offers to help organizations mitigate the danger posed by phishing attacks that businesses should look to as part of a proactive strategy to keep themselves secure.
Organizations should avoid blaming the victims, and instead focus on error-proofing their systems.
One thing all organizations should stress to their employees is that, while everyone must be vigilant, no one is perfect. Too many stories of phishing attacks have placed victims in the role of technological rubes—people too ignorant of online systems to spot the obvious warning signs.
However, as phishing attacks have grown in sophistication, even the technologically literate have been duped. More importantly, employees are only human. Especially in times of uncertainty and upheaval, stress and exhaustion play a significant role in decreasing an employee’s awareness when a suspicious email comes through. It’s far too easy for any employee, at the end of a long and tiring day, to click without looking closely enough.
This is why organizations need to stop blaming victims for falling prey to phishing attacks, and instead adopt strategies that are resilient, even in the face of human error.