While the retail giant struggles to recover, it appears some phishers are already set to move in and capitalize on the breach. They’re posing as banks, credit card companies and even PayPal to contact users and try to trick them into revealing account or other sensitive info or downloading a compromised file.
And as IT managers know, these social engineering attacks can be some of the most difficult for users to detect – and the most rewarding for hackers.
What to watch out for
The key to a phishing attack’s success is that technological solutions aren’t always effective at catching them. These attackers prey on users’ behaviors and instincts first and foremost. They’ll do whatever they can to look legitimate in order to manipulate users.
This includes personal appeals that address users by name, researching the target through social media or other information available online and targeting through any number of vectors (email, Facebook, Twitter, or even phoning a user pretending to be support or customer service).
And with spearphishing attacks, hackers will go after your most valuable targets – C-level users or those with the most control over data.
Here are five keys to share with users to help protect them and your system from attack.
1. Phishing doesn’t always look spammy
These attacks are generally more well-crafted than the typical spam message full of garbled English and unbelievable claims. They’ll be designed to look like they’re coming straight from legitimate company. They may embed corporate logos or send it from an email account that looks to be legitimate.
Even users who are savvy at spotting scams could be led astray if the message is crafted clearly enough. Remind users: They should always question not only if the message looks legitimate, but also if it seems legitimate. In other words, why would a company choose to contact you in this way or request information it could easily find itself?
2. It’s (not) coming from inside the house!
Rather than trying to fool users into believing they’re being contacted by a bank or outside service, many phishers will attempt to disguise their message as coming from an account inside your own company – even from the IT department.
If another user from inside the company makes a strange request for data or account info, that should be a serious red flag. Have users check that the credentials are for a current employee and pick up the phone to verify that it’s legitimate.
And remind users that IT will never ask them to send their credentials via email.
3. Beware attachments
Make it a policy that anytime an attachment is sent, users should explain what the file contains and why it’s being sent.
All too often users will see a PDF or .doc file and assume it’s harmless. But these attachments can contain malware that could infect their systems.
By having (and strictly enforcing) data transfer policies, users will be eventually become suspicious of attachments by default.
4. Keep systems up-to-date
Unpatched and out-of-date applications could allow for attacks if users do have a lapse and fall for a phishing attack. Keeping your systems updated and urging users to do the same could be the best last line of defense against an infected system.
As with all these rules, this goes double for executives or those who have access to the most sensitive data.
5. Don’t trust, do verify
The single rule that will help your users stay safe: Always be suspicious.
There’s nothing wrong with questioning:
- Would this information be harmful if it fell into the wrong hands?
- Is this how an actual company/co-worker/IT pro would ask for this information?
- Was I expecting an attachment?
- Would an attachment really be needed for this message?
- How can I verify that this request is legitimate?
These questions are ones that should be running through users’ heads anytime that unexpected request comes.