Last week, one of our clients, the Owner and CEO of a manufacturing business, shared a striking story with me…
On a single day, about a dozen of her employees received an identical email — an email that appeared to come directly from her.
The email instructed recipients to click on a link; it said that the situation was urgent and required immediate attention.
Fortunately, and much to the credit of my client and the training she has run her people through, not a single person clicked the link. Instead, several reached out to her directly through other means to see if the request was valid (it wasn’t).
Sadly, this kind of thing has become a common occurrence. Spammers, spoofers, phishers … they are all working tirelesslyto find ways to take your money, infect your systems, misappropriate your data, and otherwise wreak havoc within your organization.
And it’s email, the tool we all rely on every day, that is the most common vehicle for this type of nefarious activity. With that in mind, here are some things you and your staff can do to reduce the threat…
Treat Email With Suspicion
The simple act of opening an email is generally safe.
Yes, it’s true that if you have automatic image loading turned on (most people do) the sender can learn a bit about you, including when you opened it, your approximate location, your email client, and other information about your computer set up. But none of this in and of itself is particularly dangerous.
It’s when you or one of your employees takes action on these bogus requests that harmful things may happen:
Someone in your accounting department is asked to wire money to a client at a specified bank account.
One of your admins is asked to purchase several thousand dollars’ worth of iTunes gift cards for an upcoming company event.
Your credit card company says that your company account has been compromised and that the account will be shut down unless the card details are confirmed.
Requests like these (known as “phishing”) are not always fake, of course. That’s what makes them so easy to fall prey to — and so potentially dangerous.
So the first step in determining the validity of an email is to look at the sender email address. The display name that appears may say “Jane Doe, Company X,” but anyone can pretend to be that person. If you hover your mouse over the display name you can see the actual email from which it was sent.
From there, and even if the sender appears to be valid, it’s important to consider the “normalcy” of the request. For example: Does it seem out of the ordinary? Is there a great deal of urgency? Does the person who received the email often hear directly from the company CEO?
Above all, it’s important that all employees feel empowered to question the request and pick up the phone to verify if things don’t seem quite right.
Be Careful With Links
Bogus links within emails are often used as a means of either tricking the user into providing sensitive information (e.g., the user thinks they are logging into the company bank account, but in fact, it’s just a site that looks like the bank site) or introducing some type of malware or virus back into the user’s computer (and the rest of the company network).
As with email addresses, all email systems (Microsoft, Google, etc.) provide the ability to hover over the link and see if the web site name matches the place you are supposedly going to. For sites that require the user to log in with a user name and password, it’s always best to not click the link at all and just manually enter the desired URL.
Beware of File Attachments
Even if you have done your best to verify the sender, and nothing seems off or unusual about the email itself, the general rule of thumb with email attachments is that if you are not expecting one, don’t open it.
Assume that it is dangerous and check with the sender by calling, texting, or through some other means that does not involve replying to the email itself!
We have seen many experienced, sophisticated business users get fooled into taking actions they should not have as a result of malicious emails.
And so while it’s nothing to be embarrassed about, it’s not always easy to avoid, either. That’s why we recommend specific training — for all employees — on how to identify and manage bogus emails.
Further, many of our clients use a system that sends out benign phishing emails that track which employees opened the emails, clicked any links, attempted log-ins, or took other unwise actions. This gives management insight into overall staff knowledge while also pointing out which individuals may need further education.
The battle with bad actors is never-ending and your employees represent the first line of defense. The more educated and aware they are, the safer your organization and its assets will remain.