Phishing scams are arising at a fast and furious pace in the first quarter of 2017, with the IRS recently issuing a warning that these attacks are now targeting non-profits and school districts. These organizations are new on the hit-list, as the phishing attacks have already been known to target for-profit corporations. Phishing is the general term used for how attackers try to persuade a user to provide information. These scams can be conducted by phone or email, and often are so realistic the recipient has no idea that it is not legitimate. Some of the risks of falling prey to these scams is the loss or unauthorized disclosure of sensitive information, the risk of a malware intrusion, or an increased risk of ransomware.
There are several types of phishing scams. For example, spear phishing is a type of phishing attack that is tailored to the individual user, such as when an e-mail appears to be from the user’s boss or CEO, instructing the user to provide information directly to the CEO. Common requests are for employee information, such as W-2 forms. Other requests may involve a link that asks a user to provide their password and log-in credentials to resolve a discrepancy in their account. The attacks are not limited to email. Vishing is the telephone version of phishing, and involves the practice of making phone calls or leaving voice messages to induce individuals to reveal information, such as bank details and credit card numbers. Smishing or SMS-phishing, on the other hand, is the use of text messages to phish for information. All of these attacks serve one purpose: to acquire valuable personal information from the end-user.
The good news is that training your employees can help avoid falling prey to one of these attacks. Organizations should keep the following practical tips to combat phishing:
- Identify phishing communications. Phishing e-mails usually create a sense of urgency, demanding immediate action because the attacker wants to rush the recipient into taking their bait. These e-mails contain unexpected links or attachments, often requesting highly sensitive information (e.g. financial information, log-in credentials, W-2s), and contain poor grammar or spelling.
- Independently verify communications that request sensitive information. Legitimate organizations typically know better than to request sensitive information via e-mail. If an individual receives a suspicious e-mail or call requesting them to do something or to provide information, they should independently confirm with the purported sender before complying with the request.
- Check URL links. Individuals should hover over a link to preview the URL, and look carefully for misspelling or other irregularities. If uncertain as to whether it is a safe link, individuals should not click on the link. Even if it looks safe, it is better not click on the link directly from the e-mail at all; instead, open a new tab or window and enter the URL manually.
- Only enter information into a secure online connection. Only enter information into a website that is secure. Secure websites typically include: (1) a URL beginning with “https” and (2) an icon of a closed lock in the browser.
- Implement an effective software to combat phishing. To minimize the risk of falling for a phishing bait, invest in an effective software filter that minimizes the number of phishing e-mails that reach employees’ inboxes.
Additionally, if your organization is impersonated in a phishing scam, the FTC recommends the following response:
- Notify consumers of the scam. Inform customers as soon as possible if fraudsters are impersonating your organization. This can be done via social media, e-mail, or a website notice.
- Contact law enforcement. The FTC also recommends: (1) reporting the scam to the FBI’s Internet Crime Complaint Center; (2) suggesting that affected customers forward any phishing emails impersonating your business to the Anti Phishing Working Group, which is a public-private partnership against cybercrime; and (3) informing consumers that they can file a complaint with the FTC.
- Provide resources for affected consumers. The FTC recommends directing consumers to (1) www.IdentityTheft.gov where they can report and recover from identity theft; and (2) the FTC’s consumer information site which provides online security tips.
- Update your security practices. Use the phishing attack as an opportunity to re-assess and update your security practices. The FTC recommends the following security resources: (1) the FTC’s data security portal; its Start with Security: A Guide for Business; and its Protecting Personal Information: A Guide for Business.
Arent Fox’s Privacy, Cybersecurity & Data Protection group monitors developments in the data protection field. For more information, please do not hesitate to contact Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.