Email phishing scams used to be considerably easier to spot, from bad misspellings to generic titles. However, in recent years, these emails have become more frequent and more difficult to recognize, from a login request that appears to be from one of your online accounts to a spoofed invoice attachment sent from a client’s email address.
The increased sophistication of phishing can lead to compromised bank accounts, public relations nightmares, large fines, and having to notify your clients that their data may have been compromised by your company.
The good news is that there are small steps you can take right now to reduce your risk, and larger operational efforts that will give you long-term peace of mind. Here are the most important ones, which Mainstay Technologies recently shared with its clients in response to an increase in new phishing scam attempts.
- Get started on a risk assessment and a written information security program, which outlines internal and external factors your company must address to protect systems and secure data. It’s an in-depth picture of your online and offline systems with the goal of identifying where your cyber vulnerabilities lie and how to correct them. Many compliance rules, such as HIPAA, require a risk assessment to be performed annually.
- Enable two-factor authentication on every device and account that stores personal information.
- Never reuse passwords, unless you want to give a master key to the cybercriminals who purchase and sell databases on the dark web.
- Don’t click on links in emails. Navigate to the website by typing in the URL instead. It may take a small amount of extra time, but it protects you and your employees from getting tricked by a sophisticated email scammer with skills to make suspicious emails look normal. More than 91 percent of breaches start with email, and the best practices of yesterday simply don’t work anymore.
- Have custom cybersecurity policies for your organization, and train employees to follow them.
- Be skeptical of everything. It doesn’t matter if the caller sounds legitimate, or the email looks like it was sent from your assistant or generated by Dropbox.
- Never enter login credentials unless you’re completely sure you know what system you’re connected to, especially when being asked to do so via email.
- Always use complex passwords that include a variation of numbers, symbols and caps.
- Never pay an unexpected invoice or wire funds based on email verification. Always confirm with voice or in-person verification. If an email address is compromised, the hacker can easily reply to an email confirmation or request for clarifications.
Scheduling a risk assessment is cited as the first step in protecting your data – because it’s difficult to reduce your risk if you don’t know where the issues are in the first place. In today’s world, a dedicated cybersecurity resource is the best way to protect your data from the new scams designed to outsmart even the savviest of users. For more information, see mstech.com/cybersecurity.