Five Steps to Avoid Phishing Scams in the Office

January 18, 2018

Five Steps to Avoid Phishing Scams in the Office

Security is the first and most important concern for every office workplace. Safety of your employees, but also safety of your information. When sensitive or important data needs to be safeguarded, most organizations buy a well-reviewed anti-virus program. But relying on anti-virus alone is like only wearing a mouth guard to play professional football, and leaving your helmet and padding back in the locker room. You never know from which direction a tackle is going to come or in what way it will hit you.

One of the most prevalent ways that scammers will attack your office is through phishing schemes. There are many kinds of scams involving phishing, but most follow the same basic steps. How does phishing work? The scammer will send a seemingly legitimate email to a member of your staff. Unless their scam is particularly sophisticated, they will usually avoid IT and send it to a higher up with clearance and little technical know-how. The email will have a link or a file that requires a login to view. The site or file itself is not what it says it is, and the password information you put in will be sent back to the scammers. They now have access to an exec’s email. Once they’re in, they can spread like a virus among your workstations and file sharing programs.

How can I avoid getting phished?

That’s what you’re frantically googling now, isn’t it? Well, let’s go over some valuable best practices. At Computhink we take security very seriously, whether it’s the safety of your professional documents or your staff’s private information. Our Enterprise Content Management software, Contentverse, is built on security and organization.

Can I trust familiar email addresses?

Most successful phishing scams use your colleagues’ names if they can. They will find a company email address and pair it to a staffer’s name. For instance, they will figure out that jsmith@website.com probably matches the public record (easily found on LinkedIn, etc.) of John Smith who works at website.com. They use that template on other staff to figure out their email addresses. They then buy a similar looking domain, such as “wcbsite.com” or “wedsite.com”. Something anybody could mistake for the real thing. They add your colleague’s username and send you an email from jsmith@wedsite.com. It’s short and sweet, and the content fits John’s job description. Something as typical as, “Hey, can you validate these numbers for me?” with a link to a document.

All it takes is tricking the first unlucky employee or executive. Because once they have access to a real email account, it becomes a simple matter of sending an email to IT from a trusted source. Suddenly, the email addresses you thought were safe are compromised. Get in the habit of checking the sender’s address, keeping an eye out. Don’t open an attachment without confirming what it is for. Beware of vague emails that seem a propos of nothing.

Use your phone

If a colleague or employee sends you something without previously discussing it, whether it’s an email attachment, a link, or an IM, call them up. If it turns out to be legitimate, at least you now have this chance to discuss the content over the phone. When receiving anything even a little bit suspicious, give it a closer look. If you’re still unsure, always call first. Most email clients will filter out phishing attempts and scams that use well-documented tactics, but beyond that, you just have to maintain your skepticism.

When sharing passwords or sensitive information with a coworker, it is best to call over the phone or use an encrypted messaging service. However, if your company is using VoIP for its phone systems, while this technology has the potential for greater security applications, is in its basic form more open to web-based security threats. Contact your VoIP service rep to discuss options for upgrading to a guarded version of their software and hardware.

Use distribution lists

One of the places that phishers get your professional or personal information is from your company’s website. Many organizations list their staff and contact info on high level pages. This isn’t only open to the public, but bots can also crawl sites for email addresses and phone numbers with ease. To circumvent this, some companies will post their contact information on an image file, which many bots can’t read, or they will have numbers or email special characters spelled out. Alternatively, you can forego using your named emails for external mail and instead create a distribution list. info@website.com can be made with a list of relevant parties to receive forwarded emails that get sent to this address. Then, you place this in the footer of your website, creating an all-purpose listserv address to which customers or patrons can send inquiries.

Contrariwise, you can give each department a single, shared address to use for external email with clients and partners. This leaves named email addresses for internal use only, ensuring that your email addresses for trading sensitive information are sequestered, and the public facing emails only send and receive non-sensitive data. For instance, Beth Smith in Tech Support will now have bsmith@website.com for relations with colleagues but can use the shared support@website.com for messaging customers with technical issues. For a small company where many departments only contain a single employee, this option isn’t likely as cost-effective or as necessary than for a large organization.

Secure websites only

Some phishing scammers will take you to an unsafe space on the internet. Avoid HTTP websites if possible, and opt for HTTPS. The “S” means “secure.” Most browsers, like Chrome and Firefox, warn you of suspicious pages before allowing you access. Avoid any websites your browser recommends against. Use an ad-blocker – it doesn’t just stop you from seeing annoying ads, it also blocks harmful pop-ups which can get a stranglehold on your browser. Additionally, an anti-virus and anti-malware program will often come with a browser plugin so that it can review sites you’re visiting for harmful code.

While more rudimentary phishing scams will simply send you a link to harmful page, some phishers have the know-how to build an authentic-looking google account page. It looks like two step verification. But unless the address says google.com before any backslashes, then this is likely a scam. Be wary of such addresses. Don’t put in your information unless you’re sure that it’s Google or a subsidiary. The same goes for Microsoft, Mozilla, etc.

Anti-virus is not enough

Non-tech folks tend to install an anti-virus software and forget about it. You might be thinking that this is the end of your security concerns. Smooth sailing from here… Not even close! Anti-virus only protects you from viruses, and at that only the ones on which the software is up to date. First of all, make sure your anti-virus service provider is automatically updating the product with the latest virus definitions. Then, start looking at anti-malware, which will protect you and your computer from harmful or suspicious programs. Some anti-malware services will be packaged with a popular anti-virus. There are plenty of free versions of these programs, but some of them can themselves be malware. So, carefully read reviews. If possible, ask an IT professional. They may recommend an expensive product. It’s okay to shell out the big bucks for security, so long as it is well-reviewed and recommended by professionals.

If you have a shared server at your company and a private network, you may want to consider using a firewall to protect that network from intrusion from an outside source. In addition, whether you host your website on your own servers or in the cloud, there are many ways to safeguard access. Check with your hosting company and your CMS. Each will give you options for protecting your site from bots and hackers. Brute force attacks on a website are common. And sometimes getting into your site’s backend could give an intruder access to your mail server, the ultimate boon for a phisher. Set up security early, preferably before going live on your website or setting up your organization’s computers on the network.

It is also a good idea to invest in a secure content management system to keep your files and data safe. Most companies just store documents on each user’s computer in a rudimentary filing structure. The only thing barring an outside party from access is a single password. But an Enterprise Content Management solution like Contentverse has end-to-end encryption and permissions-based folder access. So that even if a phishing attempt successfully accessed your email, they’d have no way to access your company’s sensitive information. Bottom line – don’t get phished. But if you do, Contentverse has you covered.