The security of your enterprise depends not only on the actual security procedures you have in place, but also in how well you and your employees follow those procedures. It’s vital to understand what you’re protecting the business against so you can explain to your employees exactly what they need to look out for.
One such threat to businesses today is called phishing, which can be used to trick you or your employees into giving out information that could enable hackers to access your enterprise’s data.
What is Phishing?
Phishing, which is a play on the word “fishing,” is an attempt to maliciously gain information from a computer user by means of an email or similar message. This works by convincing the recipient of the phishing email that the sender is a legitimate source. The target will then reply, giving up their personal information or clicking on a link to a fake website and entering their information there.
Today, phishing is used to steal information from computer users both at home and at their place of employment. This could be a goldmine for hackers because, even if the hacker doesn’t intend to use the information themselves, they can potentially make a significant amount of money selling the information on the dark web.
The History of Phishing
Phishing began in the early 1990’s, with the term being coined somewhere in the mid-1990’s. The earliest attempts at phishing consisted of hackers sending a stranger a message through AOL’s instant messenger system. The hacker claimed to be an employee of AOL and requested the person’s login information. Once they had this information, the hacker could log into the person’s account and, potentially steal the person’s identity or their credit card information.
Shortly after the phishing attempts began, they extended to emails instead of just using AOL messenger. They often targeted individuals and attempted to gain the login information for AOL, banks, and other businesses. This enabled them to get even more information about the person to use on their own or to sell to other hackers. In fact, the information gained could be used as a sort of currency to access other hacking tools.
Since then, phishing has grown and has started targeting consumers and employees of enterprises alike. The emails have become more sophisticated, with fewer errors that could alert the recipients to the email being a scam. The websites they copy in order to gain information look like real website and may even have a URL that’s close to the real website, for example vvellsfargo.com instead of wellsfargo.com.
There are now multiple different types of phishing attacks as well as many notorious attacks that have occurred in recent years. These attacks have enabled hackers to gain access to significant amounts of information and have caused quite a bit of damage. Business owners and consumers should be aware of these issues and what methods can be used to prevent a phishing attack.
Anthem Inc. Phishing Scam
Anthem, Inc. is a very large healthcare company in the United States. In 2015, unauthorized access to their data enabled hackers to steal social security numbers, birth dates, names, employment and income data from customers of Anthem. This was all possible because one employee opened a phishing email on one of the computers connected to Anthem’s data system.
Opening the email triggered a file download that allowed the hacker to gain remote access to the employee’s computer. Once the hackers had remote access, it was easy for them to obtain the data for which they were looking. Healthcare data can be worth quite a bit of money to hackers as the data includes much of the information needed for identity theft.
Anthem, Inc.’s security breach led to the possibility of almost 80 million users’ data being compromised. They ended up settling a lawsuit for the breach by paying a $115 million settlement. A lot of the funds from the settlement, originally brought by 100 of the people who had their data stolen, will likely be used for monitoring their credit to make sure the victim’s identity wasn’t stolen.
Operation Phish Phry
Operation Phish Phry was an attempt to catch cyber criminals who were using phishing to steal bank account information and money from their victims. The investigation began in 2007 and the aim was to catch hackers trying to steal Wells Fargo and Bank of America account information through emails sent to the banks’ users.
Though the operation began in the United States, Egypt helped the FBI find and arrest over 100 individuals who took part in this phishing scam. Through the two-and-a-half-year investigation, those who were arrested were found to be carrying out a phishing scam that led to the theft of more than $1.5 million from victims who opened an email thinking it was from their own bank.
Target Data Breach
One of the largest breaches, the Target data breach occurred in 2013. It ended up impacting more than 70 million consumers. The data stolen included names, email addresses, phone numbers, and mailing addresses. After the breach occurred, it was discovered that a vendor working with Target was the unwilling cause of the breach.
The vendor opened an email that included malware, which downloaded to his computer and was used to obtain the credentials to access Target’s data. Because of the huge number of customers who were potentially impacted by this, the total costs could reach over $1 billion. In fact, banks alone spent more than $172 million in the months after the attack on replacing payment cards for their customers that might have been impacted.
6 Methods to Prevent Phishing Attacks
As a business owner or upper level manager, it’s important to know how to prevent phishing attacks and how to teach employees about the dangers of phishing attacks and how they can be avoided. There are 6 ways for business owners and employees to prevent any phishing attack from gaining access to your business’s data.
- Be Wary of Emails Asking for Personal Information
Emails that ask for personal information are likely phishing attempts and not legitimate emails. They might appear to come from a bank or another business, or even a co-worker or employee. However, these emails could be a result of hacking or a phishing attempt to gain personal information that can be used to get more information or data.
- Do Not Download Unknown Attachments
If an email has an attachment, it’s always better to confirm the attachment is legitimate if it’s not expected. Also, when downloading the attachment, save it to a folder before opening it. If the attachment isn’t what’s expected (for instance, .exe instead of .pdf), it’s likely malware and should not be opened. The malware can be used to log everything that’s typed into the computer or to remotely access the computer.
- Be Wary of Clicking Links in Emails
Links in emails, even if they’re sent by someone you know, might not be safe to click. If the email doesn’t seem like it was written by that person, do not click the links. They might lead to a website that automatically downloads malware to the computer. In cases where the email seems to be from a bank or other business, the link might lead to a fake website designed to encourage you to enter your information. Instead, type in the link address manually.
- Call Before Clicking or Downloading
Any emails that are suspicious should be dealt with carefully. If possible, contact the person sending the email message via telephone to ensure the email was sent by them and is a legitimate email. This can help minimize the chance of clicking on a dangerous link or downloading a malicous file.
- Keep Security Software Up to Date
All your employee’s computers should have updated security software at all times. The security systems for the computers should include updated anti-malware software so it has the highest chance of catching any malware before it can impact the computer.
- Learn How to Spot Phishing Emails
Knowing the warning signs of phishing emails is crucial. Many of these emails are going to ask for information and try to make it sound like the information is needed urgently. They might also warn that the account discussed in the email has been compromised and ask for personal information to update the password. Many of these emails include poor spelling or grammar, even if it’s only a few mistakes throughout the email.
PeopleSec Can Help
Phishing can cause enterprises significant amounts of damage, often costing them millions of dollars. As a business owner or upper level manager, you should be aware of the potential dangers of phishing and how to prevent it for your enterprise.
Contact PeopleSec today to learn more about securing your business or enterprise from cyber attacks. We’ll help you protect your enterprise from phishing scams as well as other types of cyber crime to ensure your systems and data are properly secured.