'Tis The Season For Phishing: Prevent These Common Cyberattacks
Many of us will shop online this month to avoid holiday-shopping crowds and find great deals. Unfortunately, cybercriminals are poised to take advantage of the increased online activity to prey on unsuspecting or distracted consumers and businesses to steal their personal information.
One of the most common methods of stealing personal information, such as financial account data, is through a phishing attack, which relies on two things: some sort of trickery or deceit, and a distracted or unsuspecting victim.
Cybercriminals that engage in phishing use a variety of methods to trick users into accessing bogus websites and responding to fake emails from financial institutions or credit services. While the technology behind these attacks is very simple, those who engage in it are incredibly skilled and often able to graft legitimate business logos, names and web designs as part of their criminal activity.
The added danger for businesses comes in the form of a “spear-phishing attack,” which targets a specific set of individuals or groups with something in common. Frequently it's a business, financial institution, college, or perhaps social networking sites like Facebook or Twitter. To execute this type of attack, the criminal must gain access to organizational information such as a customer database, which could indicate that the network had been hacked or there was a breach in data control. (And remember that if a criminal is targeting your employees, much of that information is publicly available on your website.)
An organization's response to phishing attacks must include proactive steps to minimize exposure and a response plan in case they or their customers fall victim to an attack. Here are six basic steps organizations should take:
1. Educate employees and customers on your email communication policies and practices. Make it clear what you will and will not ask for via email.
2. Improve or implement stronger authentication schemes, ideally three-factor authentication for online commerce. Protecting your customer and employee user IDs and passwords is paramount in preventing online fraud and unauthorized access to data assets.
3. Identify, review and, if needed, improve controls designed to ensure the confidentiality, integrity and availability of customer data.
4. Ensure that your organization's website certificates are current, and tell customers how to verify them in their web browser.
5. Make it easy for customers to report suspected phishing emails, and monitor those reports.
6. Train employees to recognize customer reports of suspicious emails and report them security officials.
A business must also establish a cyberattack response team that includes employees from throughout the organization, and will be responsible for implementing any response plan. That plan should include:
1. Coordinating customer request for information.
2. Determining how the organization will communicate with customers and employees.
3. Identifying the phishing site.
4. Determining the appropriate law enforcement agency to contact.
5. Coordinating with vendors that might be impacted.
6. Recovering from the incident.
There are a variety of organizations that can provide additional resources regarding phishing attacks. If you would like more information, go to OnguardOnline.gov; the Federal Trade Commission website, ftc.gov; the website for the Office of the Comptroller of the Currency, OCC.gov; or apwg.org.
Larry Snyder is director of the master of science program in cybersecurity management at Bay Path College, which has a satellite campus in Sturbridge.
WBJ Web Partners
Most Recent
Most Recent
0 Comments