In the old days, “hackers” would hang out in bars across the street from the plant or office at quitting time and make friends with the workers, slowly learning and eventually stealing business secrets. Although this tactic may still work, these days the hackers are hanging out in their bedrooms and (with less time invested in the process) are making out with bigger rewards by stealing security credentials and unlocking a treasure trove of financial and health information.
Consider the following data breaches, all caused by phishing techniques:
- Target —70,000,000 customers, security credentials stolen from HVAC vendor
- eBay — 145,000,000 records, login credentials obtained from employees
- Sony — 47,000 records, fake Apple ID verification emails
- Anthem — 80,000,000 records, credentials stolen from five different technical employees
- Excellus — 10,500,000 records, hackers gained unauthorized administrative access
- Office of Personnel Management — 21,500,000 records, security credentials stolen from contractor
Mary A. Chaput
But it’s not just the big guys that are falling prey. Smaller organizations including Seton Healthcare Family, St Vincent Medical Group, and Partners Healthcare have all been victims of similar phishing scams.
In other cases, known as “CEO fraud,” hackers send company emails to employees ostensibly from someone in the C-suite asking for information or authorizing a wire transfer.
Phishing techniques come in various forms (e.g., false links inside of emails or advertising), but they always appear to be trustworthy. According to the Anti-Phishing Working Group, phishers are able to convince up to five percent of recipients to respond, but it only takes one employee clicking on the wrong link to give away the keys to the kingdom.
Here are some tips that an organization can provide their employees to make them more aware of phishing and other hacking techniques and how to promptly report them:
- Do not open attachments or click on links from unknown sources.
- Before clicking through even known sources, hover your mouse over the link to verify the site it’s leading to.
- Look closely at and verify the email address of a known person (help desk, HR, etc.) requesting personal or security information. Better yet, call the person to verify the request.
- Never provide security or account credentials to anyone.
- Do not open or reply to spam emails, even to unsubscribe, as this will give the sender confirmation they have reached a live address.
- If you think something is suspicious, it probably is. Report it.
- Do not click on a link in an email from what appears to be your bank or financial institution. Rather, type it in yourself or use the web browser link that you normally use.
Organizations can do more to protect their information by:
- Establishing an email address for reporting suspicious emails.
- Following up on such reports by alerting the workforce.
- Implementing anti-spam software to stop suspicious emails from reaching employees.
- Installing and keeping current anti-virus software to help detect and disable malicious software.
- Using screen savers to reinforce messaging related to phishing scams.
- Implementing social engineering tests to identify untrained or susceptible employees, including senior management.
- Installing firewalls and maintaining them with the latest security patches.
- Monitoring activity, including unusual volume or access.
As in sports and war, the victorious are the ones with the strongest defenses.
Mary A. Chaput, MBA, HCISPP, CIPP/US, CIPM, is CFO and chief compliance officer at Clearwater Compliance in Nashville, Tennessee.