Computer systems in six hospitals across New York and Vermont were taken down last fall when an employee opened a personal email on a company computer and accidentally infected the hospital with malware. The damage? Roughly $50 million in lost revenue. Recently, another prominent healthcare organization, UC San Diego Health, shared that a data breach occurred after some of its employees’ email accounts were compromised. Perhaps most surprising, SANS Institute, a well-respected provider of cybersecurity training and certifications, revealed just last August that it lost personally identifiable information (PII) for 28,000 people in a data breach after just one single staff member opened an email attachment. What do these stories all have in common? Phishing. If a security training provider can fall victim to a phishing attack, that should be more than enough evidence to show you that it truly can happen to anyone.
Phishing for Answers
Phishing is an attack strategy where criminals send fake emails that LOOK like they are from a legitimate business, friend, or colleague, and try to get you to take an action that will provide the hacker with access to your environment and data. For example, clicking a phishing link can download malware or take you to a fake site that enables the criminal to steal any information you enter. In yet another tactic, criminals may pretend to be an executive at your organization and ask you to send them a report with valuable data — such as a client billing report — so they can send even more phishing attacks and try to reroute your organization’s payments to their accounts. And it’s not just email — criminals also conduct phishing attacks via text messages, social media, and phone calls.
Unfortunately, phishing is extremely common, and criminals know that humans are the Achilles’ heel of a business’s security. In fact, according to the 2021 Verizon Data Breach Investigations Report (VDBIR), the most common cause of a data breach was social engineering, and phishing accounted for over 80% of the successful attacks. This shows how important it is to pay attention to the human factor when it comes to cybersecurity. All it takes is one person to download an infected file, click a malicious link on social media, or answer a suspicious phone call, and a hacker could steal your data or lock every file in your organization.
So, what can you do to stay on your toes and make sure you’re not the reason your company gets hacked?
Tips to Avoid Getting Hooked by Phishing
There are several actions you can take now to help prevent getting hooked by shady phisherman. In other words, we’re here to help you “Achieve Nothing” - no computers hacked, no cybersecurity emergencies, nada.
Know what a phishing email looks like: Be on the lookout for some telltale signs of a phishing attempt so you can spot the bad guys before you click or otherwise take action. For example, take a close look at the sender’s email address. It’s common for attackers to closely mimic an address from a trusted company or someone you know. In addition, be wary of subject lines and language that convey a sense of urgency. Phishing emails will often have attachments that might look harmless but have a hidden script that enables hackers to download malware. You may also find notices of confidentiality in phishing emails, with the sender encouraging you not to tell anyone.
Always be suspicious of short links and inspect URLs: Another common tactic hackers use is short links that hide the long URL, so when you click on something like tinyurl.com/example, you’re brought to a malicious website. Before clicking, inspect links closely. Be sure to use the preview functionality for short links so that you know where the link wants to send you before you click anything that could be a well-disguised trap.
Be wary of websites with errors: Hackers can also send you to a fake website that will sometimes be so well done that you cannot easily distinguish between the fake site and the real site. (Although, a few spelling errors can sometimes give it away.) When you login through these fake sites, hackers can capture your login information and use it to gain unauthorized access to other information in your accounts. They can also often login to other websites and change your password so that you are essentially locked out. By the same means, hackers can gain access to your email and send mass emails to all your contacts.
Report right away and don’t respond: The thing is, we are all human, and humans make mistakes. If you’ve been hacked or suspect you have, report it immediately to your IT team and your supervisor. Reporting hacking immediately can help management to stop an attack or communicate with the rest of the team so that malware doesn’t spread throughout the office. Also, don’t respond to that email or message to check if it’s legitimate. Forward the information on to you IT team. If it’s legitimate, they will let you know, and you won’t have to worry about taking a risk by clicking a link. In addition, it’s important that you don’t click unsubscribe links in phishing emails. They can infect you just like any other link or attachment in that email. Furthermore, any response will validate your email address, and the hackers will simply send more phishing emails.
Tips for Management
Managers and organization leadership are also targets for phishing. However, if you’re a manager, you also have the additional responsibility of ensuring your staff are armed with the information they need to help keep your organization from falling victim to phishing attacks. How can you help?
Invest in security awareness training: Mandating or encouraging security awareness training for all staff will help turn every employee into a cybersecurity first-line defender. Remember, that it only takes one employee to click a link and the whole environment could be compromised. Since the average cost of recovering from a phishing attack is estimated at $4.24 million, according to an IBM study, training is a smart investment.
Implement a secure password manager: If your company does not already use a secure password manager, recommend they get one in place ASAP. A password manager will reduce the risk of your staff writing passwords down or using the same password repeatedly – this can greatly reduce the risk of compromised accounts.
Ensure staff know why and how to report phishing attempts: Part of onboarding training should include the steps to take when employees receive a phishing attempt. Not only should they know what steps to take, but they should also feel safe to report an incident - even if they have made a mistake and clicked on something they shouldn’t have. As a manager, it is your job to create that safe environment, because if incidents are reported quickly, they can sometimes be halted before damage is done.
We hope these tips are helpful! If we all work together we can thwart criminals before they get access to your organization’s environment and data.
This blog is distributed with the permission of LMG Security.
At LMG, our singular focus is on providing outstanding cybersecurity consulting, technical testing, training, and incident response services. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.