Here's what you need to know:
In October, 2016 CNN reported, “A phishing email sent to Hillary Clinton campaign chairman John Podesta may have been so sophisticated that it fooled the campaign's own IT staffers, who at one point advised him it was a legitimate warning to change his password.” (citation)
It’s assumed that Mr. Podesta clicked a fraudulent link in the email which resulted in the now infamous email hacking.
Phishing emails are fraudulent emails that use social engineering (psychological manipulation) to trick the recipient to:
1. Give up sensitive financial information
2. Transfer large sums of money to criminals
3. Install a malware virus such as ransomware on your company’s network.
Imagine getting an email from a trusted vendor requesting payment to a new bank account. The email looks exactly like the invoices you’ve received in the past and contains enough information about your relationship with the vendor to appear credible.
Here’s an example of a phishing email that looks like it came from a bank:
You’ll notice the cleverly disguised links to redirect you to a fake website. At first glance, these links look like a legitimate bank address, but once you hover over them the real address is revealed.
Phishing emails are designed to by-pass your anti-virus, anti-malware, and firewall and play on the recipients fears, usually by threatening action such as disabling your account.
The best defense is to take a pro-active risk-based approach to your data and network security.
1. Share the information in this email with your employees today. It’s important to start a conversation with them about phishing email scams, engage in regular training sessions to help them spot a phishing email, and put a reporting mechanism in place so your IT department is made aware of the issue.
JP Morgan who suffered the largest loss of customer data in US financial institution history this summer, later sent a phishing email to their employees to assess the potential for future security threats…20% of employees opened the email.(citation)
2. Beef-up your firewall with Unified Threat Management (UTM) that includes:
o Intrusion Prevention Service o WebBlocker o Gateway AntiVirus o Reputation Enabled Defense o Network Discovery o SpamBlocker
3. Don’t allow your employees to shop, visit social media sites, or check their personal email from any devices that are on your network. This includes laptops, mobile phones, or tablets.
4. If you get a request for payment from a vendor to a new bank, call the vendor to confirm (but don’t use the phone number given in the email or respond directly to the email).
5. If the CEO of your company sends you a request to pay a consultant that you’ve never met, then call the CEO to confirm.
6. Have a data and network security assessment completed. You may have potential security risks that you’re not aware of.
7. Make sure that you have a business continuity plan in place that includes instant recovery of your data, files, network, applications, and server.