Gone are the days when hackers had to find technical flaws in your technology to get what they wanted. Nowadays, simple deception is just as, if not more, critical to hacking as coding. The most common campaign is the phishing scam.
So-called phishing attacks use fraudulent emails (à la the Nigerian Prince story) and other communications to trick users into clicking on links or opening attachments that give criminals access to sensitive or private information. People tend to think of these attacks as targeted at individuals but organizations large and small also fall prey to them every day. The annual costs add up to billions of dollars.
The duty to protect systems, once entirely on IT security experts, is now shared by everyone in the office. But who among your staff is the most vulnerable?
Hackers love targeting CEOs, CFOs, CMOs...anyone with a “chief” in their title. Top-level leaders make decisions based on their access to the most profitable (and sensitive) data. Company bank accounts, sensitive customer information, and a litany of others.
In some circles, gaining access to the C-suite also earns hackers bragging rights with their criminal peers.
One popular method is for a hacker to mimic a website and/or email contact that a C-suiter trusts implicitly. The imitation site or email attachment leads to a malware download that business leaders may take months to even find out about. Alternatively, the same type of scam may eschew malware entirely and instead set its sights on tricking someone into giving up a bank login or PIN code.
Regardless of how much or how little IT support you have, those in the C-suite should never respond directly to sensitive requests. They should first verify the source on another channel or with another employee. Executives should also limit their presence on social media or any other platform that makes it possible for hackers to research their habits.
These employees handle all the day-to-day tasks that keep an office running, which means they have access to lots of company data. And beyond credentials for a wealth of office apps, they’re also screening and transferring calls and setting up appointments all day, which ensures they’re privy to a wealth of personal, private communications.
That’s prime data for putting together misinformation campaigns.
A phishing scam targeting an administrative worker might assume the guise of an executive asking an assistant to open an attachment or forward login information. Lots of these employees prioritize pleasing the boss over following some cybersecurity protocol. But when administrative staffers are hacked, spyware can then observe and record all communication passing through their desktop.
Start by making sure administrative assistants can recognize fishy emails. Then mandate that any time someone requests financial information, they must draft a separate confirmation email and send it directly to the executive asking for it.
If the executive hasn’t asked for any financial information but receives an email with it anyway, you’ll know you’re being targeted. Spam filters should also be standard throughout the department.
Every day, employees in this department receive emails and open attachments from contacts they’ve never corresponded with before, which makes them excellent targets for phishing scams.
A phisher might pose as a job applicant and send attachments claiming to be a resume or supporting documents. Why wouldn’t someone working in HR open that?
Another scary possibility is hackers pretending to be from different departments within the company asking for personnel files.
Automating as many HR processes as possible cuts down on the potential to fall victim to these attacks. Nowadays, employees should be able to sign in to their own user portals to fill out or download whatever company or personnel documents they need. HR automation is worth investing in, but so is mandating that HR employees double-check over the phone that any request made by another department is legitimate.
The truth is, though, that no one is off-limits, and every employee is susceptible to these attacks. While the phishing campaigns described above are among the more common, they are only just the beginning of a very long list.
To learn more layman-friendly cybersecurity advice, download our free eBook: 3 Essential types of cyber security solutions your business must have.