An international hacker was recently found to have more than 10,000 stolen debit and credit card numbers. So, clearly, phishing – the practice of tricking someone into giving bank or credit card information – is rife and plenty of people are falling for it.
Many businesses issue staff with credit cards to pay for work expenses. But don’t assume everyone who works in your small business is too smart to be taken in by the corrupt come-on of some creep who slips past your email filters. Phishing messages can be slyly convincing.
The website that a phisher’s email links to will have an address (URL) that is similar to but not the same as a real bank's or financial institution’s site. For instance, if the real site is at 'www.yourbank.com.au', the scammer may use an address like 'www.yourbank.com.au.log107.biz'. The fake site may be stamped with logos indistinguishable from those on the real site.
Here are seven tips to help counter the slippery threat of phishing with protection, detection and correction.
- Use anti-phishing staff training programs
One way to prevent the potential financial harm that can be inflicted by phishing attacks is to train your staff to understand phishers’ manipulative ‘head hacking’ antics. Software training programs include PhishGuru and PhishMe, which is a phishing simulator that boosts awareness of the sophisticated tactics used by hackers looking to compromise your firm’s data and systems.
- Take a cross-platform stance
You need to raise your game as criminals grow smarter, says the cyber safety expert for the security firm Trend Micro, Aman Chand. Attend to all the internet-connected gadgets your business has because you need multi-device protection, Chand says. Besides Trend Micro, McAfee, Symantec and Webroot can offer protection for all your devices.
- Remember your mobile
Ensure your staff do not leave mobiles unguarded, Chand says. Just locking up a mobile with a password will no longer do. Mobile devices need proper security software, which is available from all the big antivirus firms, from Trend Micro to Avast!, McAfee and Norton. Mobile is the new frontier for cybercriminals, according to Chand. In 2012, Trend Micro research showed cybercriminals were increasingly targeting mobiles with phishing attacks. Chand highlights the plight of the popular mobile platform Android. During its first three years Android has faced the same number of global threats it took the personal computer platform 14 years to rack up.
- Shun that attachment
Three quarters of all spam attachments are malicious, according to Trend Micro research. Make sure your staff understand that if they have doubts about an attachment they should not open it, because it could be the gateway to your system a hacker seeks. Carelessly click an attachment and if you are unlucky the business may be deluged with spam. Worst case: your computers could become an open book to a shyster intent on stealing your business’s information.
- Run scanners
According to a security advisor for AVG Technologies AU, Michael McKinnon, while old-school phishing attacks take credentials under false pretences, others just infect your computers by exploiting any detected vulnerabilities – lapses like out-of-date or non-existent anti-hacker software.
Prevent infection, McKinnon advises, by running an anti-virus scanner on all your computers. Vitally, it will ensure that any known malware is detected before a rogue program executes and takes hold of the computer.
Another tool, link-scanning software, gauges web pages’ content before they are opened, checking if they have been compromised. If so, the software blocks the shady pages, which may carry code designed to exploit the machine.
- Build an arsenal
Be thorough – combine multiple layers of anti-virus and anti-spam technologies that are always turned on and updating automatically. Your business’s defensive arsenal should include a firewall, anti-virus detection and anti-spam capabilities. Besides AVG, popular and powerful defence brands include Avira, Kaspersky, Ad-Aware and Spybot.
Together, your defences will shield your business from harm by addressing different and sometimes overlapping areas of concern.
Consider upgrading your hardware if your business has clunky computers that cannot run all the safety mechanisms. McKinnon says: “Don’t forsake your own security just so you can squeeze the last drops from your old computer.”
- Change your passwords
Change login details as soon as a phishing attack occurs. Make sure all staff use complicated passwords. Passwords should be strong, long and secure. Have a policy so that staff use a mix of uppercase and lowercase letters, symbols and numbers.
If you follow these steps, you should reduce the risk of your business being phished or minimise any damage.
The effort has to be worth it because phishing is a nasty, devious crime. Besides draining your business of valuable cash, it will leave you feeling foolish and violated. If you relax and just hope it doesn’t happen to you, it may well be just a matter of time before someone in your company is suckered.