How to Teach Your Employees to Recognize Hacker Scams by Art Gross
Data assets fetch big dollars, whether they're used for identify theft or tax fraud. Rather than operate in stealth mode to break into hardened security systems, hackers deploy cyber scams, then sit back and wait for employees to inadvertently hand over the keys to the company network and give them unfettered access.
A small-business owner with a tech-savvy team assumes, “My employees would never do that." Unfortunately employees continue to fall for phishing scams, phone scams and Wi-Fi hacking. According to CompTIA, a nonprofit group in the IT industry, an estimated 52 percent of data breaches are due to employee error.
Here are some ways you can train your employees to avoid being tricked by cyber criminals and recognize hacker scams.
Phishing scams are attempts by hackers to gain access to a company's network, personal identifiable information (PII) or to distribute a virus throughout its system. They come in the form of fraudulent emails that trick users into installing software that contains a virus, and let hackers spy on employees and steal IDs and passwords.
To spot a phishing scam, tell your employees to first check the email for spelling mistakes or broad language, such as, “Dear Customer." They should be wary of threats, such as, “You must act now or your account will be disabled." These emails ask for confidential information, including passwords and credit card details. If the user receives an email with a suspicious link, such as a link to a banking website, hover over the link, and if it shows a different domain it is a phishing scam.
Phone scams are another way criminals steal PII and sensitive data. A criminal calls an employee and impersonates an internal member of the IT tech support team and asks for user accounts and passwords “to update the computer." Or, someone impersonating a representative from a software company such as Microsoft informs an employee that she has a virus and will help her fix it. Microsoft will rarely call to notify users of a virus. Ask the caller to prove their identity and they will most likely hang up.
The latest method of gaining access to confidential information is through Wi-Fi hacking. Free, unsecured Wi-Fi hotspots are found in public places like coffee shops and airports, and are a favorite data access point for hackers. They set up their own Wi-Fi hotspots, link to an employee's computer and steal log-in information.
Whenever possible, make sure your employees are connected to a secured, private Wi-Fi network. Users can download virtual private network (VPN) software that will encrypt the data even if they connect to a fake Wi-Fi hotspot. Never do online banking or share sensitive information when using free public Wi-Fi; assume someone is watching your every move.
Bring Your Own Device (BYOD)
It's common practice for employees to use their own devices to transfer data from their office desktops to their mobile devices and leave the office with confidential information. The employee falls prey to a thief who steals his tablet and breaks into his email, which has multiple spreadsheet attachments with PII. Lost or stolen portable media is a leading cause of data breaches.
Your company should implement a BYOD policy that outlines safeguards for each device. Employees who store data on their mobile devices should be required to:
- Encrypt files that contain sensitive data
- Install mobile wipe capabilities (if the device is lost or stolen)
- Install secure email and/or texting applications.
Criminals are using social networks to gain access to accounts and personal information. Once a criminal convinces a Facebook or Twitter user to hand over their account information, they can use it to send a spear phishing email to the person's friends and followers. (This is a fake email that appears to be from a friend and is very hard to spot because it comes from a trusted source.)
For example, if a user tells Facebook friends he is heading to Aruba and staying at a specific hotel chain, a criminal posing as a hotel registration clerk could put together a spear phishing email to the user's friends that looks like it is coming from that hotel. That will increase the chance that the user opens the email and downloads the malicious virus. One way to stop spear phishing is to minimize the amount of information shared on social networks.
Don't assume employees know about these risks. Without formal awareness programs, employees are likely to make the same mistakes made by so many in other companies. At the very least, hand them a one-page factsheet on the most egregious risks for a cyberattack and how to prevent them. Security awareness is as important as any other employee training required by a small business.