What Your Employees Should Know About Phishing Scams
Identify how enterprises detect and prevent phishing attacks during the holiday season.
Holiday season isn’t only a time of increased sales and celebrations, but it’s also when fraudsters step up their efforts to give holiday presents to themselves – gifts of customer login credentials, credit card information, social insurance/social security number, data, and identities – all from your database.
Phishing is one of the most common types of fraud.
Phishing scams rely on email communications that appear to be sent from the employee’s own organization or another legitimate company. The fraudster exploits the inherent trust that has been built by these companies so that the recipient will click on a link. By doing this, fraudsters can obtain unauthorized access to either the employees, companies databases, or the employee’s various third party accounts.
More than 90% of all network breaches originated from a phishing attack.
The biggest industries targeted by this phishing fraud attack are government entities, financial institutions, military and defense contractors, healthcare providers, and eCommerce retailers. Unfortunately, phishing messages are continually becoming increasingly more challenging to identify.
Because of the increased sophistication of these scams, there is a higher probability an employee who uses a company device, or their own outside of normal work hours will, at some point, fall victim to phishing.
Companies of all sizes can be vulnerable.
Although large companies are big targets, small and medium-sized businesses are also at risk. Recently, Netflix was a victim of a phishing email that blanketed 110 million subscribers. With the subject line “Your suspension notification,” the email informed victims that their accounts have been suspended due to a billing issue.1 After clicking a malicious link that redirects to a thoroughly believable Netflix landing page, customers input their user information and billing details to rectify the problem.
This simple and successful technique was able to capture not only their payment details but also username and passwords that are often the same credentials used across a number of websites.
Identifying a phishing scam email can be tough. It’s important for every employee to know the difference between a legitimate and illegitimate phishing email.
Cyber criminals have many tactics to disguise emails. They understand how avoid suspicion and trick their victims into thinking a sender is legitimate, when the emails are really coming from a malicious source. Checking to see if the sender of the email is legitimate before opening by checking the email header and paying close attention to the email domain of the sender.
Aggressive subject lines are used to lure victims in and cyber criminals will do whatever it takes to find a way into your system. They may promise a “free iPad Pro to the first 100 respondents,” or threaten that “your bank account will be suspended without immediate action.” By doing this, the fraudster evokes a sense of curiosity, urgency, or even panic.
Notice grammar and style errors. Don’t merely skim your emails. Read them carefully. Many phishing attacks come from other countries, so these emails are often written by non-native English speakers. Spelling errors can be an obvious giveaway that the communication isn’t authentic. Incorrect or out of place punctuation are also consistent flaws found in phishing messages.
Check the link destination by hovering over the link and not clicking it. If it is not the website expected with a domain you recognize, it is probably a phishing attack. It is most important to make sure that the core of the URL is correct. Be especially cautious of known websites suddenly ending in alternative domain names instead of .com or .org.
Emails demanding immediate attention are illegitimate. This technique is often used to scare people into giving up confidential information.
Training employees on how to avoid falling victim to a phishing email scam is only one of the first lines of defense to helping protect not only their own personal information, but also that of your customers and other employees
Implementing fraud prevention best practices help to protect against the fallout/ramifications of the phishing email scams.
Phishing goes far beyond any size company and can target any sector and user, from a business executive to a home social network user or online banking consumer.
Knowing that the sophistication of both technology and techniques used by fraudsters is evolving, how can enterprises protect themselves from the downstream implications? By implementing a system of controls that spans across multiple touch points with your company, including account creations and logins.
How Precognitive can help avoid phishing attempt strategies by fraudsters:
Precognitive employs a unique strategy to detect the login differences between your customers, your employees, and a fraudster preying on your inability to recognize the difference. Focusing on the point of login, Precognitive’s behavioral analytics technology Precog-BA uses biometric profiling to measure aspects like the keystroke cadence of the user credentials, weighed against the speed that the user typically logs in.
Precog-BA also detects behavioral patterns including how the user navigates your login page.
Precognitive’s technology can discern the habits of a bot versus a fraudster visiting your site for the first time versus your customer or employee that accesses the page regularly and frequently.
It’s important to take extra precaution when it comes to keeping your customers’ information safe. By taking the extra steps in training employees on phishing scams and implementing a fraud prevention software, you are able to outpace fraudsters by beating them at their own game.
It’s inevitable that the attempts to breach individual accounts and user databases will continue. Devising a strategy for prevention and fallout mitigation starts with adequate employee education, but whether you’re a merchant or a bank, you still need to have the proper protections in place to ensure existing consumer accounts are protected from fraudsters attempting to use illegitimately obtained credentials.
Account Takeovers can cripple your business, but with suitable preparation, you can be ahead of the threat.