The online threat landscape is continually evolving, and none more rapidly than phishing attacks. Cybercriminals continue to design new and more effective email phishing scams, tricking unsuspecting victims into releasing sensitive personal information and transferring money to fraudulent accounts. Spear phishing is a slightly different, but equally effective variation on the phishing email, most often targeted towards a specific individual or business. The email will direct the recipient to a malicious website with the intention to steal data, or install malware on the target’s computer.
Phishing and spear-phishing continue to be an extremely effective revenue stream for hackers, with approximately 23% of phishing emails being opened by employees even after they have received training on how to identify and deal with malicious communications. One mistake by an employee can have devastating consequences for an organization, allowing cybercriminals to access sensitive information, deploy malware, or fraudulently represent the company’s brand online. Employee education, while very important, is not enough to ensure email security.
What can you do to protect your business and stop phishing emails?
If 23% of scam emails are being opened by employees who have been trained in how to recognize phishing scams, imagine the risk to your company if no training has been implemented. Key things employees should look out for:
- An email requesting personal information, bank details, passwords etc.
- Poorly spelled emails with grammatical errors are often a hallmark of a scam email
- On a mobile device, if you’re not sure, click and hold the link and you will see the URL or web address of the page to determine if it’s legitimate
- On a PC or laptop, hover your mouse over the link to see the URL or web address of the page to determine if it’s legitimate
- When in doubt, don’t click the link!
A well-informed staff member who knows what to look for is another line of defense a hacker has to get passed in order to obtain sensitive data.
02. Email Authentication
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technical standard that protects email users from fraudulent communications. It works by validating emails to detect malicious content, though the message might appear to have originated from a valid domain. It removes the element of human error upon which the creators of phishing scams rely by telling the receiving server whether or not an incoming email is legitimate. DMARC by Fraudwatch International not only includes monitoring and detection services, but also guarantees the fastest removal of malicious content in the industry.
03. Password security
If you thought the number of hacking scandals from 2017 was enough to make Joe Public have a serious think about his password security, you’d be wrong. According to SplashData’s annual list of terrible passwords, “123456” and “Password,” once again have claimed the top two spots in 2017. If your IT department allows employees to select their own passwords, it’s highly likely you have a couple of “Password” or similar gems floating around in your database.
It’s time to get serious about password security, and that means encryption when it comes to storing users’ passwords in your databases. Having them stored in plain text means they’re very visible, and if your database was compromised, the entire list would be readable. Encryption of passwords so they don’t read in plain text is a vital precaution when it comes to the secure storage of passwords. Outlined below are two of the most widely used and effective methods in password security.
A cryptographic hash is a one-way encryption, meaning you can’t work out the input data by reversing the hash. It does this by mixing up readable data into a scrambled cipher, so passwords themselves are not stored on the database. The idea isn’t that hashes can be decrypted; rather that when a password is entered, the system runs the hash again and verifies the result against the hash generated when your password was chosen.
Salt + Hash
This is an extra layer of encryption in the event that the same password is chosen by two users, and the same hash is then generated as a result. Also known as “a number used once” or “nonce”, a salt mixes random data into the hash output.
It’s vital to take a proactive approach when it comes to managing threats against your brand, clients and sensitive data. The above tips on how to stop phishing emails are all critical steps in ensuring your business is protected; however, engaging a cybersecurity organization to externally monitor your incoming communications is another more comprehensive layer of security. This monitoring service is offered by FraudWatch International, and it works by using proprietary anti-phishing software to seek out phishing activity on the internet. FraudWatch International are proud to offer industry-leading take downtimes, meaning less risk to your business, and less exposure for your clients and intellectual property. Don’t let your customers become needless victims of a phishing attack. Contact us today.