Phishing is a type of email fraud in which the sender impersonates a trusted source to try to gain access to passwords, credit card numbers, and other sensitive information. The victim is at risk of theft, identity theft, or contacting malicious computer viruses. Fraudulent e-mail is frequently disguised as a message from a bank or a trusted merchant. Scam e-mails often contain a link to a site that either requires the person to enter sensitive data or instructs the user to download a special program. These fake e-mails often look and sound very authentic – even experienced users can be fooled. But over time, consumer education has alerted many to the scams and most people know better than to give out sensitive information without vetting the source.
Spear Phishing
Scammers continue to up the ante. More recently, these fraudulent e-mail scams have gotten more sophisticated, targeting specific companies in a practice often called spear phishing, which is a more targeted approach. In these attacks, the phony e-mails masquerade as communication from within the organization – such as from the HR or IT department or from a specific manager. Last week, there was a report of spear phishing emails that targeted CEOS through emails disguised as court subpoenas.
Keep informed, educate your employees
Employers need to stay alert about new phishing scams and need to educate their workers about scams to protect the organization from vulnerabilities – it only takes one chink in the armor to launch an internal attack. Two good sources are the FBI e-scams and warnings update and the Anti Phishing Work Group, an organization which stays on top of the latest scams and is a good source of consumer information and education about phishing scams. In how to avoid phishing scams they offer consumer pointers, among them:
- Be suspicious of any email with urgent requests for personal financial information
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic – call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
- Avoid filling out forms in email messages that ask for personal financial information – you should only communicate information such as credit card numbers or account information via a secure website or the telephone
- Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
- Consider installing a Web browser tool bar to help protect you from known fraudulent websites.
- Regularly log into your online accounts (to ensure that there has been not fraudulent activity)
- Ensure that your browser is up to date and security patches applied
- Always report “phishing” or “spoofed” e-mails to the following groups:
* forward the email to reportphishing@antiphishing.org
* forward the email to the Federal Trade Commission at spam@uce.gov
Make a policy that you will never ask for confidential employee information (passwords, credit card numbers, social security numbers) via e-mail and publicize the policy widely. Use newsletters, company meetings, and bulletins to publicize security tips and to teach your employees that whether at work or at home, they should never share confidential information via e-mail. Here are a few consumer quizzes you can use to test their – and your – knowledge:
Phishing IQ Test
Catch a phish – take the quiz
On Guard Phishing Quiz (flash, sound)
Can you spot the phishing?