Save your Architecture and Engineering (AEC) Firm from Falling Victim to Scams. 3 Steps to Avoid Getting “Hooked”
When I talk to people about phishing scams, I often get the person who likes to make a funny remark:
“Fishing?! That sounds great. Trout, salmon, catfish…”
Everyone in the room laughs at that point. Fishing does sound great: sitting on a boat in the middle of a lake or river, without a worry in the world. The idea of baiting and catching something, then throwing it back into the water is fantastic!
Unless you’re the one being “fished.”
So what is “phishing,” and why should we care it exists?
How to Define Phishing
According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.” (<https://en.wikipedia.org/wiki/Phishing>.)
I define phishing as getting baited into providing personal information or even transferring money based on communication that you believe is entirely trustworthy.
Examples of this may include an email from the bank asking for a username, password, and EIN. Another email from a seemingly trusted source may ask you to click on a link, which in turn infects your organization with a virus. Or in more extreme but not rare cases, an email from a CEO may instruct your accounts payable person to transfer a sum of money to an offshore bank account, in an urgent fashion, to complete a deal.
Avoid Over-Confidence When it comes to Scams and Phishing
You may be thinking that this sounds unfortunate, but you’re satisfied with the fact that your company has never fallen victim to such a scam.
I’d like to say that’s great. It means you are doing something right in protecting yourself and your company.
However, many others are not as lucky as you are.
According to industry research, over 90% percent of SMBs fell victim to a phishing attack last year, which is up over 18% from 2015. According to a Verizon study, 30% of all phishing messages got opened in 2016, and 12% went on to click through to the link. Any marketing genius would be envious of these results.
You probably think that you are too aware and too smart to fall for this. Many people believe that.
But the numbers tell a different story.
According to the same Verizon study performed in 2014, over 23% of people opened the emails, of which 11% went on to click on the link. That’s an 8% increase in two years (for those of us counting), and can be attributed to the increased sophistication in the attacks. Furthermore, the outlook for the next two years is even bleaker for the “good guys,” as the trend suggests a similar growth pattern of 7-8%.
Protecting Yourself and Your Business
Hopefully, these numbers get your attention, and you’re ready to take the necessary actions to protect yourself – even if you think you couldn’t possibly be a victim.
There are many different options out there, but I feel that the three below will provide the most significant benefit to get started.
- Employee Education. You can never underestimate the benefit of education, as long as you get the proper knowledge, and can apply it in the real world. Conducting regularly scheduled training sessions, such as monthly lunch-and-learns is a great way to get your users engaged and aware. Go over the latest threats in the news and break down a few examples of email to “watch out for.” Invite your IT provider to put the conversation into context and provide more expertise.
- Advanced Threat protection for email. Most businesses have anti-spam solutions to stop email attachment viruses. But that’s not enough to prevent phishing. A sophisticated phishing or any other “social engineering” attack is specifically designed to look and feel like it originates from a trusted and legitimate source. This tricks us humans, and most anti-spam engines out there as well. There are only a few products that offer adequate protection against these scams. Talk to your IT provider to find out more.
- Advanced URL filtering. If the email does get through to your inbox, and you do click on the link, advanced URL filtering will block your connection attempt, and this saves your bacon. The truth is that 99% of phishing sites stay up less than 24 hours, with new websites spun up and spun down on the internet at a 600,000 an hour rate. Advanced URL filtering offers real-time learning and updating capabilities. Again, only a few products provide this functionality, so talk to your IT provider to get more details.
It’s a mistake to think you’re too smart or too equipped to fall victim to scammers and phishing. Even if you’ve never had a problem before, dishonest people are becoming more sophisticated in how they target individuals and companies. You need to prepare, and you need to get educated. Clicking on one wrong link can cost your business more than you want to imagine.
Talk to your IT provider if you need help and have questions.
Trends and more in Your Inbox