A common characteristic of phishing scams is urgency: the recipient is told that a deadline is about to expire or a task needs to be completed immediately. Phishing scammers targeting people at work, for example, will often look up the name of the recipient’s boss and send an email posing as the boss to instruct the employee to take the desired action. The goal is to use these pressure tactics to get the employee to rush instead of taking time to verify that the email is legitimate.
What is Vishing?
A portmanteau of “voice” and “phishing,” vishing is the practice of calling someone and using social engineering (that is, deceiving and manipulating people into divulging confidential information) to get unauthorized access. Phone-based scams are nothing new, but scammers have more tools in their arsenal now than ever before, including using voice over IP (VoIP) technology to place hundreds of calls at once and “spoofing” the caller ID to pose as a friend, colleague, or family member.
Vishing scams may directly ask for usernames and passwords to access secure systems or acquire data such as social security numbers or dates of birth that can likewise be used for unauthorized access. A vishing scammer might offer to “help” someone install software that turns out to be malware or pose as an employee of a service provider looking into a “compromised” account.
What is Smishing?
This is another portmanteau term: SMS for short messaging service, or texting, and phishing. Smishing scams use text messages that claim to be from a legitimate sender in order to, again, get people to turn over sensitive information, usually by convincing them to tap a malware-laden link or open an attachment. These scams can be particularly dangerous because users may be more inclined to trust a text message than an email.
All three of these types of attacks are potentially more dangerous now than ever because of the remote work environment. It’s obviously easy to verify a colleague’s identity in a face to face conversation. However, with so much business being conducted by email, phone call, or text message, the door is open for employees to be scammed out of information that can hurt both themselves and their employers.
Preventing Phishing in the Workplace
As with all cybersecurity risks, implementing software solutions is important, but not the entire story. IT professionals can guard against phishing attacks by ensuring that their business email system is configured to send phishing emails to spam folders (and making sure employees use their employee email addresses instead of personal emails to conduct business). Web browsers can also be configured to block suspicious websites, which is essential if someone does click on a phishing link.
However, phishing and other communication fraud scams depend on social engineering, not just flawed technology, so maintaining good phishing awareness in the workplace is critical. In other words, employees need to be taught how to prevent phishing. For instance, don't click on links in emails or open attachments without first confirming that the email is from a legitimate sender who intended to send the link — and treat text messages the same way. Likewise, never install a smartphone app from a link in a text message; if it’s a legitimate app, it can be found in the app store.
Exercising caution and slowing down to verify in the face of an “urgent" phone call or text is critical. It’s important to set expectations, too, with statements like “we will never ask for your password over the phone (so if someone does, it’s not us).”
Building Resilient Security Against Communication Fraud
Finally, it’s important for a cybersecurity professional to configure the overall IT structure to mitigate damage in the event of a successful phishing scam. Requiring that different passwords be used for different systems, for example, ensures that a phisher who obtains one password can’t access every system.
Likewise, organizations can maintain different levels of access: one for regular employees, another for power users, and a third only for high-level executives and system administrators. Restricting access to the most critical information to only a handful of people reduces the likelihood that a phishing attack will reach that information.
Phishing Prevention is a Critical Part of the Cybersecurity Field
Phishing in the workplace is just one example of why it’s so important to have knowledgeable people in the cybersecurity field. Trained IT professionals don’t just configure the technical precautions and protections needed to protect passwords and secure valuable information. They can also teach organizations and colleagues how to prevent phishing and provide guidance on best practices to avoid fraudulent attacks that can have far-reaching professional and personal consequences.
If you’re ready to take your first step toward the front lines of cybersecurity, this is your opportunity. Learn more about earning your cybersecurity degree online at Utica College.