When Something Seems Phishy: Cybersecurity Tips
We all get them, whether at home or at work, through email, text, or our social media accounts. They appear to be from a family member, friend, vendor, or client. They seem innocent enough, asking you to check in on an order, share a photo, verify personal information, or just click a link.
As legitimate as these communications can appear, they aren’t always coming from the source you think. Cyber crooks and hackers have gotten increasingly good at mimicking legitimate emails and texts from companies, acquaintances, and even co-workers. After all, they have a vested interest in getting you or your employees to breach your company’s cybersecurity protections and provide private data or inadvertently download malware, or ransomware, onto your device — and more likely onto your company’s server.
Awareness Is the First Line of Defense
But just because hackers have improved their digital design and writing skills doesn’t mean you are without ways to defend yourself and your company against phishing and hacking attempts. Here are some best practices to share with employees to help keep your company’s data secure.
- Trust, but verify that the sender is who you think it is. With emails, it only takes a few seconds to hover over the sender’s signature block to reveal their email address. Then pause and ask yourself whether the requested action seems legitimate. Would the CEO really reach out to you and ask you to buy e-gift cards, forward sensitive client data to him while on vacation, or wire money as a personal request? If you have any doubts, verify the colleague, vendor, or client’s address or website independently and email your contact at their known address and ask if they sent this to you. For phone calls and texts, especially those requesting urgent action, similarly, verify that the number is legitimate before responding.
- Typos are still a tip-off that something might be phishy. While we all make them, corporate communications go through so many rounds of reviews, that misspellings and numerous grammatical errors are uncommon. Though hackers are getting better at proofing, being as judgmental as your eighth-grade English teacher can save you from a regrettable click-through.
- Have and enforce password policies that align with the latest guidance from the National Institute of Standards and Technology (NIST) and other cybersecurity specialists. Currently, that includes requiring minimum password lengths of at least eight characters. Prioritize length over complexity; longer is better. To do this, encourage employees to use phrases or sentences that are easy to remember. If you can, also incorporate multi-factor authentication. It’s one of the strongest protections your company can use to prevent accounts from being compromised.
- Apply software patches as soon as they come out. Consider presetting employee computers to ensure that those patches update automatically as soon as they are available. Resist relying on the employees to do it themselves.
- Communicate online etiquette to employees clearly and remind them of it often. For instance, many may not realize that they should not be downloading files, such as fonts they may need, or free software, without requesting permission from your IT department first. Better yet, put in firewalls that will prevent them from being able to do so. And should something unfortunate happen, consider if you should share some of the details on a company-wide basis so that everyone is aware of the attempted breach. It helps make the precautions you ask employees to take even more credible.
The best defense for individuals and companies of all sizes is to keep your collective guard up by being hyper-vigilant to suspicious communications. For more on what we do as a company to keep our clients and their data secure, view our Security Policy.
The material in this blog is presented for informational purposes only. The information presented is not investment, legal, tax or compliance advice. Millennium Trust Company performs the duties of a directed custodian, and as such does not offer or sell investments or provide investment, legal, or tax advice.