Data encryption and access controls make it very difficult for hackers to access private data without first stealing the appropriate user credentials or decryption keys. Brute force attempts to hack into accounts by guessing passwords can be thwarted by locking an account after a certain number of consecutive failed passwords attempts.
Since modern security technology does such a good job at protecting data from the technical methods many hackers would use to attempt to access private data, they have consequently moved more of their efforts to social engineering attacks. One way hackers use social engineering tactics at scale is through phishing emails. A phishing email is designed to get its recipient to give up some personal information. It is usually an email disguised to look like it is coming from a legitimate organization, friend, or colleague.
One of the most common methods of phishing involves emails that request the recipient to update account information. These emails are often made to look like they came from the company by using the logos, links, and design of legitimate company emails but lead users to send personal information to the hacker. Phishing emails can also attempt to trick their recipient to open attachments or install software that can let the hacker see the data on the machine or even take control of the computer remotely.
The most sophisticated attacks could be made to look like a legitimate information request from a coworker or supervisor. Relationship data could be harvested from social work sites such as LinkedIn. Then the attacker could send email from a fake email address using the name of one of the recipients’ colleagues. If the recipient is not paying close attention to the domain the email is coming from, they might – in an attempt to be helpful – reply with the private data the hacker is requesting.
Phishing attacks against consumers are typically attempting to extract personal information like social security numbers, dates of birth, or banking information that can be used for financial gain. Attacks against an employee at your company could be looking to acquire passwords to shared resources, encryption keys, or information about the company’s security infrastructure the hacker wishes to exploit. For an individual, falling into a phishing trap can be a costly error and a huge inconvenience. If an employee were to let sensitive passwords or secret company information leak, it could do catastrophic damage to the company’s reputation. For example, the Home Depot had more than 100 million of their customers’ credit card numbers stolen and posted for sale online. The method by which these credit cards were stolen appears to be through a phishing attack.
If you or one of the employees at your company fall for a phishing scam and give up sensitive information, reset the affected passwords immediately and notify the relevant companies involved or administrators of the app or service that may have been compromised. If the fraudulent email was made to look like it came from another company, it is also good to let them know so they can warn their other customers. You’d want to be notified if your customers were getting phishing emails made to look like they are coming from your company. Failing to protect your customers or employees from phishing attacks can be very damaging to your company’s reputation.
One of the best defenses against phishing emails is to learn to recognize them when you see one. However, phishing attacks aren’t limited to email. They can also come through phone calls, social media messages, or regular mail. Training employees to recognize scams is important. Even more importantly, you must establish good policies in advance about what kinds of information can be shared, and then devise secure methods to share it. Sending passwords or encryption keys through email is incredibly insecure.
If you’re looking for more ways to strengthen the security systems of your organization, check out ASPG’s suite of data security products.