Phishing, social engineering, oh my
In an article by a Kaseya Security manager, phishing was one of the top three cybercrimes in 2020, according to the FBI.
So what's phishing? Hackers put out some "bait," something they think you'll nibble at so they can engage you. Sometimes they're looking for pieces of information that by themselves seem innocent enough, but when combined with other data they've found, bought or stolen, gives them all the pieces they need to impersonate you or gain access to your network, email or shared files.
Social Engineering often involves tricking you into thinking you're communicating with someone you trust. They present themselves in reasonable communications - you have a fax; they use scare tactics like an expiring password; they claim to be helping you because they noticed a problem with your computer. Let's face it - they're trying to trick you.
So you're in a rush and don't notice the company name is misspelled; the email address has a typo; you don't know if you're expecting a fax or a package and you're curious; you struggle to remember your password and the thought of it expiring makes you panic; you didn't know you had a new vendor so you click the link to the invoice; if Microsoft sent you an email to confirm your password, you type it in.
All of these are scams.
When kids are little, you repeatedly remind them to look both ways before crossing, not to talk to strangers, not to open the door to strangers, to say please and thank you, and in our house, to hold the door for others, especially Mom. When it comes to your business, one study indicates that 55% of remote workers rely on email as their primary form of communication.
How often do you remind yourself, your team, your family members about these villains? There's an interesting quote I've run a few times - "People need to be reminded more often than they need to be instructed" - Samuel Johnson.
Here are five of the most common phishing attacks as listed in MSP Success Magazine - these might be worth pinning up in the break room, reading in the monthly company meeting, and including in all new hire documentation:
• Notification that you have received a voicemail or fax;
• Fake tech support email alleging malware on the computer and requesting remote access to install software to fix the issue;
• Business email compromise with a fraudulent invoice embedded with malware;
• Phony emails from HR asking new employees to change their direct deposit information;
• Social engineering attacks designed to trick employees to reveal confidential information.
In business, you have to send out a certain number of proposals to get work - it's often a numbers game. If you win 50% of your quotes and you only get two of them, you won't have enough work. Send 30 proposals with a 50% "win" ratio and that's a different story. These hooligans play the numbers, too.
So now what? Your IT company can add filters, block senders, and use tools to limit exposure.
But you and your staff still play an important role. Assume it's a scam. Even with great locks and alarms, you still have to lock the door, Take the "Zero Trust" position and wear out the delete key.
• Catherine Wendt is president of Syscon in Hinsdale.