Phishing scams have been prevalent for a while, but since the SVB crash, they’ve been on the rise. Threat actors are looking to cash in on the misfortune of and prying on the lack of awareness around cybersecurity threats and the sensitivity of the situation.
Every company, regardless of size, is a target for threat actors. We received an email from a well-known company at Hill Country Tech Guys asking us to update our account information ASAP due to the SVB crash. The message included several ways we could make payments with them directly.
The problem is our company doesn’t do business with this company. HCTG requires our employees to complete frequent phishing training and simulated phishing attacks to ensure our workforce spots potential threats quickly and responds appropriately. In this instance, that training worked precisely as intended.
Phishing is something every business should be taking very seriously right now.
Tips to spot phishing scams
Some phishing scams are apparent and easy to catch, but they’re evolving with technology and becoming a more significant threat.
- Always ensure you know the sender – If you get an email from someone asking you to grant access to something, update your payment information, or personal information, ensure you know the sender.
- Check for obvious typos and misspellings – typos and misspellings are a key indicator that you’re dealing with fraud. Yes, legitimate typos do happen in copy often. Look at company names, sender addresses, and body text. You are likely to find these within poor phishing attempts. Check the logo to ensure it’s the current company logo. If the logo looks wrong, go check the company’s website. Threat actors will search the web, download a logo, and paste it into emails to look legit. Sometimes they accidentally use an old one.
- Be sure the sender address is correct – threat actors often create email addresses that look very similar to the real thing. This is how they make you feel safe. Sometimes they change just one letter or character to fool you.
- Ask – if you get an email from Laura in HR (if you haven’t seen her Instagram, you’re missing out) asking you to update your banking information. You know that generally, banking info is updated in your employee portal or at the employee’s request. This should raise a red flag. The easiest way to verify this is to reach out directly to Laura and ask. Please note this does mean replying to the email. Walk over or pick up the phone and call to verify they truly sent you that message.
What to do if you suspect you’ve become a victim of phishing
- Report it! Most companies have a system for their employees to report suspicious emails. If your company does not have this, report the message as spam to your email provider and speak with your management team about finding a solution to keep your company safer.
- Investigate what was compromised and the potential impact of the incident. It’s important to know quickly what was accessed or potentially stolen. If you’re accountable for any regulatory compliances, you must inform those agencies of the incident, as it is considered a breach.
- Use your business continuity plan. BCPs are response plans for something that impacts your ability to carry out business, like natural disasters and cybersecurity incidents. Make these plans in advance. Employees should know what is expected of them during this process and how to carry out their duties.
- Turn on MFA for everything. Multifactor authentication is another step in the login process that requires the user to prove their identity. There are different types of MFA. Some devices allow fingerprints and facial scans, some send a code to a designated phone or email, and some use an authenticator app that auto-generates codes that expire every 60 seconds.
How to train employees on phishing scams and other cyber-threats
Training employees to spot phishing scams and other cyber threats is a must. Your IT team should be able to provide you with the best solutions for cyber awareness training. Some companies provide premade training modules and assessments at a per-user cost for many companies. If you use an MSP, ask them about finding the right solution for training your workforce. Call Hill Country Tech Guys today if you need a good MSP or want to know more about phishing scams and cybersecurity training.