Here phishy, phishy…Tips to Evade Phishing Attacks
Christen Church is a partner who focuses her practice on intellectual property, data privacy and security, corporate advisory services, and health care regulation and compliance.
Over $1,300,000,000.00 and 298,728.
Respectively, these numbers represent reported losses and number of complaints the FBI’s Internet Crime Complaint Center received in 2016. Many of these losses resulted from ransomware, tech support fraud, and Business Email Compromise (BEC), with most originating from phishing emails.
BEC scams represent the increasingly sophisticated efforts of internet criminals. A criminal sends a phishing email to allow the scammers into your email accounts and computer system. Once you click on a link or open the infected file, scammers can gain access and lie in wait for days or weeks. During this time they will monitor your activity and gather information to compromise your financials or to obtain enough information to impersonate you and effect fraudulent financial transactions.
To help reduce the chance of becoming a victim of cybercrime, work to prevent the initial intrusion.
Think Before You Click
Whether it looks like an email from a potential customer, your accountant, your bank, or even your mother, always think before you click on any link or attachment. Criminals are becoming more and more sophisticated, the days of unexpectedly receiving an email from a far off land full of misspellings and poor grammar are getting further in the rearview mirror. “Spear phishing,” a phishing attempt specifically tailored to look like it is coming from someone you know or do business with, is becoming increasingly common.
Look closely at the sender’s email address and any links that are included. If you were not expecting a message or something feels “off,” consider reaching out to the sender. If the email is asking you to access your account do not click on the link, instead go directly to the company’s website to access your information.
Increase Your Defenses
When available, use multifactor authentication on your accounts. Nothing can entirely stop efforts of determined cyber criminals, but use the reasonable tools available to make it much more difficult.
Keep your operating system and software up to date with the most recent patches, install and update protective software (antivirus, antimalware, etc), and maintain your firewall. Train your staff to recognize phishing attempts and what to do if they have concerns about an email.
Look at your insurance policies. Do you have cybersecurity insurance? What is your coverage and does your coverage provide access to tools to assist you in building your defenses, including samples of policies and procedures and incident response plans?
Increase Your Awareness
Begin looking at the information you hold and how that information is accessed. Do you have social security numbers, financial account information, health information? Are there ways to reduce the amount or types of sensitive information you hold without compromising your business and your ability to serve customers? Do you allow employees to bring their own devices and are these devices segregated onto a guest system or allowed to enter your company network? The National Institute of Standards and Technology (NIST) provides a number of tools to assist with these self-assessments, including the NIST Framework for Improving Critical Infrastructure Cybersecurity.
You may also find value in having a third party vendor perform network assessments to identify areas of weakness to focus on, from both a technology and human factor standpoint. When an assessment is ordered by legal counsel it may be protected under attorney client privilege and the attorney work product doctrine under certain scenarios, reach out to your legal counsel to discuss.