Businesses and employees alike are adjusting to new rules of technology as the boundary between work and home has become thinner than ever before, thanks most immediately to COVID-19’s impact on the workplace. Employees relying on personal devices, an increase in cloud collaboration software, and dispersed teams are just some of the ways this shift has played out.
Online security threats are on the rise as organizations across the board are adapting to a more remote workforce and evaluating changing workplace models for the future. Considering employees are an organization’s weakest security link, it’s essential to protect your business and employees against common threats, such as phishing attacks, that are only increasing during the pandemic.
Phishing attacks are a common scheme in which someone poses as a trusted party (like an employer, bank, or government employee) in an attempt to steal personal information, such as credit card numbers, usernames, and email addresses. Sometimes these attempts are obvious; for instance, a request to wire money to someone you don’t know. However, these schemes are becoming more sophisticated and targeted.
An employee may receive an urgent email from their CEO asking them to purchase gift cards for a client, or from their HR department asking for personal information to confirm their payroll details. These can be harder to spot, especially if the target is a new employee, in a rush, or otherwise distracted.
One employee’s breached login could wreak havoc across an organization, especially if they reuse passwords across accounts, leaving sensitive business data at risk. To mitigate this, employers should ensure that employees are familiar with the tactics used in specific schemes, like phishing attacks, so they are aware of red flags to look out for.
Phishing attack red flags
Hackers will often create a sense of urgency by threatening to cut off your service, or giving a tight deadline. For instance, a phishing email from someone posing as a bank or another financial institution might ask for you to “confirm your account” and re-submit your payment information or else your account will be terminated. If something seems strange or alarming, it’s worth taking the time to investigate further.
Lack of personalization
Cyber criminals often send hundreds of emails at a time; a major indication of a fake email is the lack of a personalized greeting. Be suspicious if the email doesn’t include your name or username, or addresses you simply as “Customer” or “Account Holder.”
Illegitimate email address
Cyber criminals will often create an email account that closely resembles a company’s official email address, with only one letter or word changed. Phishing emails may also appear to come from the name of a real person within your company, though on further inspection, the email address itself is not within the organization domain. Look closely at the sender’s email address to identify any discrepancies.
One quick way to identify a phishing scam is the use of misspelled words and poor grammar in the body of the email.
To further boost awareness and prevention of falling victim to these schemes, organizations should consider running phishing tests to create mock phishing emails and/or websites that are then sent to employees.
Running these tests can help employees understand the different forms a phishing attack can take, learn to better identify their features, and underscore the importance of avoiding clicking malicious links. A study by the Ponemon Institute found that phishing simulations have proven to double employee awareness retention rates, and yield a near 40 percent ROI, versus more traditional cybersecurity training tactics.
To successfully carry out a phishing test, employers should:
Train employees on the above details of a phishing scheme and ways to identify one, and notify them that the company will be running occasional tests to help prepare employees for an attack in a controlled setting.
Create a protocol
Determine an easy way for employees to flag potential phishing schemes to your IT/security team. This can take the form of a dedicated email alias or an embedded button built in to employees’ inboxes.
The test should be constructed as an ongoing series of phishing simulations over time to gauge success and improvement. They should vary in method to give employees multiple opportunities to learn.
Senior management and executives are often prime targets for phishing schemes, so it’s important that they be included as a part of the test.
Reporting is critical to measure success and track improvements. There are three key metrics you want to be measuring: 1) link click rates; 2) number of employees that leak sensitive data (i.e. provide a user/password combination) and 3) number of employees who reported a phishing email. The first two should decrease over time, while the number of people who report a phishing email should go up.
One of the most important parts of any phishing test is providing additional training to help low-performers achieve success. This should be done in a polite and friendly manner, as it’s important that employees feel comfortable talking about their struggles with cybersecurity. Notify first-time offenders that they erred on the phishing test, and provide additional training materials on how to spot a phishing email. Managers should intervene more closely with those that have continued trouble, offering a tutorial on spotting phishing emails that includes popular examples and things that have happened to other businesses.
Finally, educate teams on security best practices in general to ensure they are taking extra precautions when it comes to their work-related accounts and devices. This can include enabling two-factor authentication for an added layer of security and using a strong, different password for every account. The latter is critical, especially for employees who may have used the same password across personal and business accounts in the past. It’s imperative that everyone understand that using unique passwords ensures that if one account is breached, your other accounts remain secure.
Educating your workplace on common threats and best practices will mitigate potential risks that your organization is exposed to through employees. Without a thoughtful, ongoing approach to security, your organization may find itself the next victim of a data breach.
Emmanuel Schalit is co-founder and CEO of Dashlane