Online tech support scams have been on the rise for the past decade, as hackers found new ways to trick consumers into providing remote access to their computers in order to steal information. This tried-and-true scam currently relies on sophisticated social engineering, fueled by detailed user information that creates enough credibility for even the most savvy and skeptical users to keep the scam going.
In fact, 2.7 million Americans reported some form of fraud to the Federal Trade Commission in 2017 alone. There almost certainly were many more who either were too embarrassed or too jaded to report what they experienced.
What essentially all online and email scams share in common is that they attempt to impersonate someone or some institution that seems credible to the recipient. They capitalize on recipients’ social etiquette of trust, courtesy and professionalism to get them to hear out their pitch. They exploit the listeners’ fear of losing something, like a valuable service. They sometimes tempt listeners with promises of something of value for nothing.
Phishing today often involves scammers pretending to be a company you already do business with — such as Apple, Microsoft, or Amazon. They send out a text or email stating you have a problem with your account, or perhaps there’s a delivery issue, a refund question, or some other plausible-sounding matter. You then are directed to a link and told that unless you provide confirmation of your account information, your account will be suspended and legal action will follow.
The phishers almost certainly don’t have either your username or password. If they did, they wouldn’t have to bother using an elaborate ruse to gain access to your computer network. Instead, claiming that it’s a matter of great urgency, they trick you into providing access to data, to images, to text files, or to money.
One particularly damaging form of trickery may not involve texts or emails at all. It could start with a phone call from someone pretending to be your help desk or IT service organization needing to remotely access your computer to update or fix something.
“All you need to do is download this maintenance patch I’ll send you and let me do the rest,” the user is told. Of course, it’s a scam that would let someone gain access to your network. It’s bad enough if you’re a private individual, but it can be even worse if you’re in an organization with access to valuable information assets that the scammer is targeting.
Cut Back on Phish
With so much toxic angling, a low-phish diet will be good for you and your business. Sooner or later, everyone is likely to receive deceptive phone calls or emails. Like any diet, this one requires awareness, education and discipline.
Essentially, all phishing scams require the recipient to open or click on something that’s actually malicious. Educating yourself and your employees about how to recognize, avoid and report phishing attempts is essential to the security effort. Vigilance and skepticism online are the watchwords of safe online living.
- Many phishing messages share certain elements in common. One of the most frequent is to convey a sense of urgency, saying that the recipient needs to do something immediately — either to send money to verify certain information, or to update their credit card file. That’s a red flag. Banks, government agencies, and most business organizations still use snail mail to collect funds and personal data.
- When you do receive an email from your bank that requires action, log on to its website by keying in the bank’s URL yourself. Don’t use the link in the message to visit the bank’s website; it could actually be a malware attack on your computer. By hovering your mouse over a link in the message without clicking on it, a window will appear with the sender’s real address. If it looks phishy, pick up the phone and call your bank.
- Many scams originate overseas from countries where English is not the native language. As a result, there might be awkward phrasing, archaic terms, or misspelled words that professionally written emails or websites from authentic U.S. organizations would never use. That’s another red flag.
With those cautions in mind, it is comforting to know that there are best practices designed to help reduce the risk of a breach. Following are 10 phishing security tips.
1. Run fake phish tests. To help train employees, IT personnel periodically can send fake “phishing” emails to employees. They can teach users to recognize malicious messages and help to identify vulnerable staff members who would benefit from additional security awareness training.
2. Publish your cyber policy. Information technology departments, in conjunction with their counterparts in human resources departments, should prepare written policies that address safe online practices for employees to follow. Annual updates to that policy, reflecting both the changing threat environment and the normal turnover of employees, would be useful. Tests about policy specifics can be administered periodically to raise awareness.
3. Educate newbies. The onboarding process for new employees provides a valuable opportunity to emphasize the importance your organization attaches to cybersecurity, as well as some of the specific measures in place to safeguard the network against attacks. Introducing an official company cyber policy, as well as the organization’s security-related personnel and resources, also would be timely for new arrivals. Part of that training should discourage employees from publishing information about their affiliation with the company, especially including any corporate information on social media.
4. Decommission accounts. Employees who retire or leave the organization — particularly those whose separations may have been contentious — should have their access credentials to the network disabled right away. The same applies to contractors, agencies, and vendors with access to company systems, accounts or other assets.
5. Don’t make enemies. Disgruntled employees — particularly those who feel they have been disrespected, ignored or otherwise treated unfairly — can create serious issues for the business because they have access to sensitive materials and can carry a grudge against the company. One way to help minimize the risk of an insider causing damage to the organization in retaliation for a real or perceived affront is to create a culture of respect — one in which employees know they have the opportunity to air and resolve issues before they can escalate into acts of sabotage.
6. Practice BYOD hygiene. Everyone has their own mobile devices — phones, tablets, smart watches and so on. At the same time, more business organizations are staffed with workers who operate remotely and use their own devices to telecommute. Cisco’s 2016 annual report found that workers saved more than 80 minutes a week using their own devices. At the same time, however, many IT professionals acknowledge that the Bring Your Own Device culture increased their company’s security risks.
However, there are ways to minimize that risk:
- Making sure work and personal information are separated.
- Never using public WiFi to send or open sensitive data.
- Connecting to a Virtual Private Network (VPN) whenever possible, so Internet traffic is encrypted.
- Saving data in cloud-based services rather than keeping everything on a laptop.
- Installing security software and tools, such as antivirus applications, firewalls, Web filtering software and device encryption.
- Never leaving your computer unattended at a coffee shop or while meeting with a client.
7. Secure your supply chain. No company is an island. Every type of business, whether it’s a manufacturing or service organization, has a network of suppliers. Some of them may not be particularly strategic, while others may be suppliers of mission-critical components. Before forming a supplier partnership and collaborating online, ask what access controls they have in place:
- How are they documented and audited?
- How do they store and protect customer data?
- How is that data encrypted?
- How long is it retained?
- How is the data destroyed when the partnership is dissolved?
- How frequently are employee background checks conducted?
8. Make a plan. Even if you and your employees are meticulous about cybersecurity, stuff happens. The risk of a security breach always exists. If a breach occurs, have a response plan. That plan should outline the roles, the responsibilities, and the communication hierarchy of key employees throughout the duration of the response. Those key players should be identified in advance, along with their contact information, so they can be notified quickly in the event of an incident. That plan should address the need to contain the breach, remove the threat, and recover lost information.
9. Update your software. Conventional security software tools, such as firewalls, react to threats only after they have been detected. Newer next-generation technology takes a more automated, proactive approach by constantly scanning networks to detect threats before they become full breaches. Even today’s standard productivity applications have better security features than they had in the past.
10. Get into the cloud. Many organizations are discovering that the perceived cost-benefit of owning their own servers and keeping them on site under the supervision of their own IT staff can disappear quickly if an attacker manages to breach them. Cloud providers have exceptionally high security standards with specialists on duty 24/7 throughout the year. Migrating company files to the cloud also can bring a variety of operational benefits to users.
Even with the best technology, no system’s security is stronger than its most vulnerable legitimate users. Scams will continue to evolve, and corporate security practices need to be as dynamic as the changing threat environment.
Ongoing education and awareness efforts, together with a culture of online skepticism and prompt reporting of suspicious email, are fundamental to strengthening any organization’s front lines of defense: a workforce of knowledgeable employees and vigilant executives.