Phishing, whaling and spear phishing are attempts by hackers to steal sensitive and personal information to gain access to your business or personal accounts. Because phishing accounts for 90% of data breaches, Sam Card, Cards Technology founder and CEO, discusses what you can do to protect yourself and your business from these hacking attempts.
Q: What are phishing attacks and how can they impact the security of your business data?
Sam Card: Phishing attacks are social engineering attempts designed to steal user data like passwords and user names. Firewalls and antivirus software typically are successful at stopping hackers from getting into your network so hackers have come up with an easier way to get this information – phishing emails. The emails are disguised to look like they are from a trustworthy source so users can be tricked into giving out sensitive information such as passwords and even credit card numbers.
Once hackers have this information, they can impersonate you which is where the main security impact is. Acting as you, the hackers send out emails to your contacts asking for more information to access even more online accounts. You might not know for months that you’ve been hacked as hackers often sit tight for a period of time after stealing credentials before exploiting your stolen information.
Q. Are Office 365 users targeted by attackers?
Sam Card: It’s not that Office 365 users are being targeted per se. Because the use of Office 365 is so widespread, hackers disguise their phishing attempts to look like they are coming from SharePoint, Teams or Outlook, for example. Since most people recognize messages and notifications coming from Office 365 they are more likely to trust and act upon them.
Q. What type of data could a hacker gain access to if they obtain your credentials?
Sam Card: When a hacker has access to your email account, for example, they can figure out a lot – where you do your banking, where your company stores its files, what your Facebook account is. With this information, hackers can easily get access to more private information like names and addresses of your customers and other data about your business that is commonly used to aid in identity theft schemes.
Q. What steps can your business take to prevent these types of attacks?
Sam Card: One of the best defenses is to have proper data governance policies in place. Part of this system is a data loss prevention and retention policy to identify where data should be stored and how long it should be retained (or not). Policies can be set up to prohibit users from saving information in the wrong location or accessing data they aren’t permitted to access. More importantly, data governance policies can trigger alerts if specified types of data are used inappropriately or shared outside of your company.
Cybersecurity awareness training is the other essential piece to protecting your business information as human error is currently the weakest link in cybersecurity. Employees must be trained to recognize phishing attempts and then be tested regularly to continually train them on how to deal with them. Even after awareness training, people typically still click on a phishing email because they can look very convincing. Business leaders should make sure employees feel safe and understand that they must report it to the IT department if they click on a phishing email. If no report is made, the hacker has a much-improved chance of not being caught and realizing high levels of success with their attack.