Phishing expeditions in which hackers trick people to reveal confidential information or cause them to introduce a virus onto their computer, are on the rise. As a result, firms should develop and maintain a robust cybersecurity program to deal with the ever-increasing threat of cyberattacks. Hackers are becoming more sophisticated in their use of phishing scams. Below is a description of a few types of phishing attacks and some suggested protocols that can aid in preventing cyberattacks.
- Phishing – Rather than trying to break through a computer’s defenses, phishing is used to trick someone into clicking a malicious link in an email that appears to be legitimate. Phishing emails may include logos to make them appear to be legitimate. Once the malicious link is clicked, the employee’s computer and potentially the firm’s network may be infected with a virus.
- Whaling – The goal of whaling is to use social engineering, email or content spoofing, to trick someone into disclosing personal or corporate information. The attacker may send his target an email that has been highly customized or personalized so that it appears to be from a trusted source. The email may include a branding button that appears to be safe, however, once it is clicked, it then reveals an error message and a virus is deposited into the computer.
- Spear Phishing – Spear phishing involves the use of emails to target specific individuals and trick them to reveal confidential information. The attacker will likely have some familiarity with the target and will utilize personal information in the email message so that it appears to be legitimate.
Firms can take a number of steps to prevent cyberattacks, beginning with training. Phishing emails can be identified by checking the content of emails. If the email contains misspelled words, asks for confidential information, or requires the opening of a link or attachment, employees should be informed that it might be a phishing email. If the content of the email does not appear to be something that would normally come from the sender, that may be another indication that the email is a phishing email. In addition, the URL address can be checked to help determine whether the email is from a legitimate source. Further, employees should be instructed to not click on links or attachments if an email appears to be illegitimate.
Phishing simulations can be sent to employees in an effort to train them to identify phishing scams. There a number of vendors that offer phishing simulations which allow you to track the employees who click on potentially malicious links. To further enhance cybersecurity, firms can also set-up two-factor authentication which requires a form of identification in addition to a username and password when accessing various systems.
Contact us for assistance in creating a cybersecurity policy, which is now an exam priority for most state regulators FINRA and the SEC, or if you would like some guidance regarding cybersecurity.
Source: Compliance Protocols for Dealing with Current Cybercrimes by Craig Watanabe, a Sr. Compliance Consultant with Core Compliance & Legal Services, Inc.