Don't Grab That Bait! Workplace Email Phishing Tips

Unless you’ve been under a rock, you know that email phishing is a favorite and effective hacker tool worldwide. A report by the Ponemon Institute and Keeper Security finds negligent employees are the #1 cause behind data breaches at small-to-medium-size businesses (SMBs), and phishing emails are the #1 form of attack on those employees.

According to the U.S. Securities and Exchange Commission, 60% of SMBs are out of business within six months of a security breach, and email phishing is a growing source of those data breaches. Symantec’s “2018 Internet Security Threat Report” estimates that one of every 412 emails contains malware; a big drop from 2017's 1 in 131. This is very positive direction that can be attributed to IT efforts across all business types. The down side is that thousands of emails are received daily by most companies, so the job is far from over – all it takes is one employee misstep to unleash a world of hurt on a company and its data.

Knowing the signs and shapes phishing emails take is a huge part of workplace data security. Both employees and employers who know take proactive steps toward a cyber-safe workplace.

EMPLOYEE AWARENESS

• Never assume an email is trustworthy just because it’s from a co-worker or internal department – it’s very easy for hackers to disguise emails. Carefully check the email address or URL of the sender and be aware of spelling and grammatical errors in email text. If you see a suspicious email from a known sender, ask them directly if they sent it – better safe than sorry.
• Look for generic greetings like “employee” or “customer.” Most phishing emails are sent to tons of people at the same time and don’t address employees by name.
• Beware email attachments using suspicious file extensions like .exe, .pptm and .docm. Any extension out of the ordinary is suspect, but no extension is guaranteed to be safe.
• Emails asking for immediate action or are aggressive about getting a response are hacker favorites. They rely on scare tactics to get your attention and open them – you’re one step away from clicking on a malicious link.
• Immediately report suspicious emails to the IT department or those responsible for online security. Making them aware enables them to block and investigate senders.

EMPLOYER AWARENESS

• Conduct ongoing employee cyber education. Address the latest phishing and other hacking tactics and make mock scenarios part of the training. Then, re-test employees so you know where improvements need to be made.
• Enable spam filters to recognize emails from suspicious sources. These filters can block and prevent phishing emails from ever reaching employee inboxes.
• Use a web filter to block malicious websites and always encrypt sensitive information.
• Always use two-factor authentication, especially for employees whose credentials have been compromised.
• Keep data systems up-to-date and apply security patches and updates as soon as they’re available.

Stickley on Security
Published August 16, 2018