One of the most common ways that companies fall victim to hackers is through relatively simple phishing scams. Even some of the largest, most damaging data breaches happen because one employee received a scam email and unknowingly handed over the keys to the network, allowing hackers to infiltrate the system.
What are phishing scams?
Phishing is a type of social engineering scam in which criminals play on social aspects and business situations in order to pry information out of victims such as bank account numbers, social security numbers, passwords, etc. Other types of phishing emails have victims click on a link or download a malicious attachment that installs malware on the user’s system and gives the hacker the freedom to do whatever he wants.
It’s easy to believe that you could never fall for something like this because we’ve been warned so many times. We think we can easily spot a scam. In reality, however, phishing scams are getting more and more sophisticated. Criminals have no trouble recreating a company’s logo to make the email look official. They can even spoof the CEO’s email address exactly, causing employees to think the email is coming from a trusted source (this is known as whaling).
Phishing scams also work well because they play on our fears. Many times, a scam will say something like “Your account has been breached and you need to change your password in order to stay protected.” No one wants their account to be breached so they will immediately click the link, log in to the seemingly official site and “change their password,” ultimately giving the hacker their login credentials.
Phishing is especially scary because it doesn’t take much skill to carry out a campaign and the return that hackers get back from the investment could be huge. Businesses need a plan to protect their employees and their assets from phishing scams. Luckily, the methods for fighting phishing are simple.
How to fight phishers
Take a look at your software. Make sure that all anti-spam, anti-virus, and anti-malware is deployed and updated. Anti-spam can filter emails and stop you from receiving known threats while anti-virus and anti-malware can help if something does infiltrate the network.
Also, be sure you are using operating systems (for both your server and your workstations) that are still supported. This means that you should definitely not be using Windows Server 2003 or Windows XP. If a bit of malware takes root in those operating systems, it’s tough luck. It’s also not HIPAA compliant.
Train employees. Employees need to be aware of what phishing emails look like and the damage they can do. They should also know what to do if they think they received one of these emails. If possible, the email shouldn’t even be opened and it should be reported to the IT department immediately. Often, hackers will target entry-level employees because they are usually the most naive. They find this information by looking online on social media accounts and then emailing that employee directly. This is also a good reason why not all employees need access to all of the data.
Create company policies to protect yourself. You need a policy in place that prohibits employees from giving out certain types of information over email. The policy should clearly dictate what employees should and should not do in the event of a phishing email.
If you’re already a victim
If it’s already too late and your valuable information has fallen into the hands of hackers, you have some work to do.
Contact all of your banks, credit credit card companies, and other financial institutions. At this point, you should cancel your accounts and open new ones to make sure no money is stolen. Cancel all credit and debit cards. You should also take this time to change all passwords in your company.
Beef up your security. The time to maintain tight security over your network was probably before the breach occurred, but it certainly won’t hurt if you do some work afterwards. This is a time in which your private data is at its most vulnerable. If a hacker’s goal was to use a phishing scam to get inside your network and steal, for example, a bank account number, you need to do everything you can to prevent them from taking off with even more loot such as customer credit card data.
Review your account statements. Look for fraudulent charges in your bank statements. If you find any suspicious activity tell your bank or financial institution as soon as possible. The faster you report the charges, the more likely they are going to refund your money.
Contact law enforcement. If the information that was stolen seems to be extensive (such as customer data or electronic health records) you need to report the breach to the police. If they only stole one of your account numbers, maybe not. But when a phishing scam starts to affect others outside of your company, law enforcement should be involved.
Let your customers know what happened. As we stated above, when your customers’ information is involved in a data breach, they have the right to know. At this point, you will need a major public relations strategy in place to maintain your reputation. You may also consider giving your customers free credit monitoring services.