For the past decade, online tech support scams have been on the rise as hackers find new ways to trick consumers into providing remote access to their computers in order to steal information. This tried-and-true scam today relies on sophisticated social engineering fueled by detailed information on the user, which creates enough credibility for even the most savvy and skeptical users to keep the scam going.
In fact, in 2017 alone, 2.7 million Americans reported some form of fraud to the Federal Trade Commission. And there were almost certainly many more who were either too embarrassed or too jaded to report what they experienced.
What essentially all online and email scams share in common is that they attempt to impersonate someone or some institution that seems credible to the recipient. They attempt to capitalize on the recipient’s social etiquette of trust, courtesy, and professionalism to hear out their pitch. They usually exploit the listener’s sense of fear of losing something, like a valuable service. Or, alternatively, they try to appeal to the listener’s sense of greed of getting something of value for nothing.
Phishing scams today often involve someone pretending to be a company you already do business with — such as Apple, Microsoft, or Amazon — sending out a text or email stating you have a problem with your account, or perhaps a delivery issue, a refund, or some other plausible-sounding matter. You are then directed to a link and told that unless you provide confirmation of your account information, that account will be suspended and legal action will follow.
The phisher almost certainly doesn’t have either your username or password. If they did, they wouldn’t have to bother using an elaborate ruse to gain access to your computer network. Instead, claiming that it’s a matter of great urgency, they trick you into providing access to data, to images, to text files, or to money.
One particularly damaging form of trickery may not involve email at all. It could start with a phone call from someone pretending to be your help desk or IT service organization needing to remotely access your computer to update or fix something. “All you need to do is download this maintenance patch I’ll send you and let me do the rest,” the user is told. Of course, it’s a scam for someone to access the network. And it’s bad enough if you’re a private individual. But it can be even worse if you’re in an organization with access to valuable information assets that the scammer is targeting. Here are some common patterns.
Security Tips: Cutting back on phish
With so much toxic angling, a low-phish diet will be good for you and your business. Sooner or later, everyone is likely to receive deceptive phone calls or emails. But like any diet, this one requires awareness, education, and discipline. Essentially, all phishing scams require the recipient to open or click on something that’s actually malicious. Educating yourself and your employees about how to recognize, avoid, and report phishing attempts is essential to the security effort. Vigilance and skepticism online are the watchwords of safe online living.
- Many phishing messages share certain elements in common. One of the most frequent is a sense of urgency saying that the recipient needs to do something immediately – either to send money to verify certain information, or to update their credit card file. That’s a red flag. Banks, government agencies, and most business organizations still use snail mail to collect funds and personal data.
- When you do receive an email from your bank that requires action, log on to its website by keying in the bank’s URL yourself. Don’t use the link in the message to visit the bank’s website; it could actually be a malware attack on your computer. By hovering your mouse over a link in the message without clicking on it, a window will appear with the sender’s real address. If it looks phishy, pick up the phone and call your bank.
- Many scams originate overseas from countries where English is not the native language. As a result, there might be awkward phrasing, archaic terms, or misspelled words that professionally written emails or websites from authentic U.S. organizations would never use. That’s another red flag.
With those cautions in mind, it is comforting to know that there are best practices designed to help reduce the risk of a breach.
Fake phish test. To help train employees, IT personnel can periodically send fake “phishing” emails to employees. They can teach users to recognize malicious messages and help to identify vulnerable staff members who would benefit from additional security awareness training.
Publish cyber policy. IT departments in conjunction with their counterparts in HR should prepare written policies for employees to follow that address safe online practices. Annual updates to that policy, reflecting both the changing threat environment and the normal turnover of employees, would be useful. Tests about policy specifics can be administered periodically to raise awareness.
Educate newbies. The onboarding process for new employees provides a valuable opportunity to emphasize the importance your organization attaches to cybersecurity, as well as some of the specific measures in place to safeguard its network against attacks. Introducing an official company cyber policy as well as the organization’s security-related personnel and resources would also be timely for new arrivals. Part of that training should discourage employees from publishing information about their affiliation with the company, especially including any corporate information on social media.
Decommission accounts. Employees who retire or leave the organization – particularly those whose separations may have been contentious – should have their access credentials to the network disabled right away. The same applies to contractors, agencies, and vendors with access to company systems, accounts, or other assets.
Don’t make enemies. Disgruntled employees – particularly those who feel they have been disrespected, ignored, or otherwise treated unfairly – can create serious issues for the business because they have access to sensitive materials and can carry a grudge against the company. One way to help minimize the risk of an insider causing damage to the organization in retaliation for a real or perceived affront is to create a culture of respect – one in which employees know they have the opportunity to air and resolve issues before they can escalate into acts of sabotage.
Practice BYOD hygiene. Everyone has their own mobile devices – phones, tablets, smart watches, and so on. At the same time, more business organizations are staffed with workers who operate remotely and use their own devices to telecommute. Cisco’s 2016 annual report found that workers saved more than 80 minutes a week using their own devices. At the same time, however, many IT professionals acknowledge that the Bring Your Own Device culture increased their company’s security risks.
But there are ways to minimize that risk, including:
- Making sure work and personal information are separated.
- Never using public wi-fi to send or open sensitive data.
- Connecting to a Virtual Private Network (VPN) whenever possible, so your internet traffic is encrypted.
- Saving data in cloud-based services rather than keep everything on a laptop.
- Installing security software and tools, such as anti-virus applications, firewalls, web filtering software, and device encryption.
- Never leaving your computer unattended at a coffee shop or while meeting with a client.
Secure your supply chain. No company is an island. Every type of business, whether it’s a manufacturing or service organization, has a network of suppliers. Some of them may not be particularly strategic, while others may be suppliers of mission-critical components.
Before forming a supplier partnership and collaborating online, ask what access controls they have in place.
- How are they documented and audited?
- How do they store and protect customer data?
- How is that data encrypted?
- How long is it retained?
- How is the data destroyed when the partnership is dissolved?
- And how frequently are employee background checks conducted?
Make a plan. Even if you and your employees are meticulous about cybersecurity, stuff happens. The risk of a security breach always exists. If a breach occurs, have a response plan. That plan should outline the roles, the responsibilities, and the communication hierarchy of key employees throughout the duration of the response. Those key players should be identified in advance, along with their contact information, so they can be notified quickly in the event of an incident. That plan should address the need to contain the breach, remove the threat, and recover lost information.
Update your software. Conventional security software such as firewalls react to threats only after they have been detected. Newer next-generation technology takes a more automated, proactive approach that constantly scans networks to detect threats before they become full breaches. Even today’s standard productivity applications have better security features than they had in the past.
Get into the cloud. Many organizations are discovering that the perceived cost-benefit of owning their own servers and keeping them on site under the supervision of their own IT staff can quickly disappear if an attacker manages to breach them. Cloud providers have exceptionally high security standards with specialists on duty 24/7 throughout the year. Migrating company files to the cloud can also bring a variety of operational benefits to users.
Even with the best technology, no system’s security is stronger than its most vulnerable legitimate users. Scams will continue to evolve, and corporate security practices need to be as dynamic as the changing threat environment. Ongoing education and awareness efforts, together with a culture of online skepticism and prompt reporting of suspicious email, are fundamental to strengthening any organization’s front lines of defense: a workforce of knowledgeable employees and vigilant executives.
Have you read?
For those who are planning their next business trip, here are the best hotels for business travelers to stay in Halifax (Nova Scotia), Victoria (British Columbia), Florence, Barcelona, Amsterdam, Edmonton (Alberta), and Gold Coast.