When it comes to not opening emails that are clearly spam, most business leaders think, “Come on, of course my staff wouldn’t dream of opening those.”
Hang on. You may not be aware of a new kind of phishing email – This new breed looks as if it’s been sent from someone you know over a system you use often! It doesn’t matter who you are or how proficient you are when it comes to your business’s data security, hackers can and will still target you. In fact, our very own Anna Murray, President of tmg-e*media, inc. and Owner of e*media, received one of the most recent of these phishing scam emails just a few weeks ago.
The email was sent by a client – or that’s what it looked like. It was a shared Google Doc link. Of course, as the President of an IT and cybersecurity firm, the link went unclicked. We had already been made aware of the recent Google Doc phishing scam. However, that doesn’t mean that everyone else has! And, even if you have heard of the scam, it’s easy to be caught off guard and fall victim to an attack like this – that’s what makes it so tricky.
The messages hackers are sending out look like an identical replica of a Google Doc shared link. Plugins that hackers use are intended to replicate the shared link – and it leads you to a legitimate Google Doc sign-in page with all your current documents listed. However, once the link is opened, it requests you to allow “Google Docs” to have access to your account and information. Of course, Google Docs sounds like the real deal, but it is a malicious look-alike. For this phishing scam, it’s important that you go into your Google account and revoke any access that was given to “Google Docs.” You can do this through your Google Drive folder and settings.
The point that you must take away from this isn’t that you’re “bad” at cybersecurity or that you were foolish for clicking on the link (or, conversely, that you’re somehow superior for avoiding the temptation to open a phishing email). Instead, focus on the fact that these phishing attempts and data breaches are happening every day, in small ways and large. Your business could easily be put at risk by an employee who clicked without thinking. Human error is, in fact, one of the biggest cybersecurity risks that a business faces.
I want to reiterate that these attacks will continue – on small and large scales alike. We recently released a memo to our clients, and I wanted to share an excerpt here:
What do you need to know going forward:
• The attacks will continue. For that matter, they will increase in frequency and sophistication.
• No matter how tight our cybersecurity controls may be, the fact is that the malware propagates from “inside the house” through user action, making it very difficult to detect and contain in time.
• You need to be aware of the method the attackers use, and follow the following advice always:
• Never click a link embedded in an email. It can be disguised to read one way, while it sends you to a totally different place. It is best to type the link yourself in the browser.
• Never open an attachment unless you can first verify the sender and were expecting an attachment.
• Always be critical of an email message. Does the language read well (grammar and syntax)? Would the sender send you such an email, or make such a request? Does it “sound” like the person you know? If in doubt, stop. Take no action. Call the sender on the phone and confirm.
• Never install software from a website, even if it asks you to. Stop, and call IT.
• Avoid surfing to non-reputable sites. Sites with “free movies” or “free music,” etc., are called user honey pots. They are there to attract you, steal your data, and infect your computer, even without you taking any action, just by being there (it’s called “drive by” infections.)
• Always keep a recent backup of your data.
Remember: Cybersecurity is our common responsibility. Think before you click!