Give Your Employees the Training They Need to Stop Phishing Attacks
As manufacturers become more reliant on technology, cybercriminals are stepping up their attacks and gaining access to data and operations through phishing attacks. This form of attack tricks employees into opening email attachments or clicking into links that open your front door to critical information.
All it takes is one employee to enable a cybercriminal to gain access to a corporate network for sensitive data or deliver ransomware that can shut down your operations. That’s why it’s essential to teach all employees the basics of phishing schemes and how to guard against them.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing. During the first quarter of 2023, the online security firm, Vade, detected 562.4 million phishing emails, surpassing the previous quarter’s total by 284.8 million.
According to Malwarebytes, in 2020, cyberattacks against the food and agriculture sector increased by 607%. Last year, the U.S. cybersecurity company Dragos identified the food and beverage sector as the largest victim of cyberattacks than any sector other than manufacturing.
Phishing is a form of social engineering that comes in various forms, such as a seemingly harmless link to a cat video or a fake email from a company’s CEO. Social engineering recognizes that it’s often easier to take advantage of a person’s natural trust than it is to find and exploit a technical glitch.
The damage from these attacks can be massive, such as the ransomware attack in 2021 on JBS that paralyzed the company’s operations and forced it to pay an $11 million ransom.
The typical attacks and tools include:
- Enticing or alarming email subject lines
- Fake email addresses that appear to be from a legitimate and trusted source
- Emails from impersonated brands that consumers trust
- Links placed in the body of an email or embedded in an attachment
- Attachments that sneak through filters and deliver malware and ransomware
- Webpages that impersonate trusted brands.
Email and Social Media
Phishing uses email or social media to trick people into providing confidential data like passwords and banking information. Many phishing messages appear legitimate at first glance, which can lead your employees to click links or open attachments, exposing you and them to data theft.
Many phishing emails convey a sense of urgency that something terrible will happen if employees don’t respond immediately. It could be that their password will soon expire, or there’s a problem with their upcoming paycheck or insurance claim.
Phishing emails can appear to be from a legitimate vendor or networking site, such as Microsoft Office 365 and LinkedIn. For example, an employee might receive an email about a new connection or job opportunity on LinkedIn. The email will have all the appearances of a LinkedIn communication but will instead steal their login credentials and access their contacts. Employees should be trained to only open messages from within their social media sites.
No one is immune to these techniques, including HR and accounting departments. Hackers, for example, might use accounting contacts to submit invoices or request wire transfers from fake vendors. Upon seeing a new hire announcement, they might contact the new employee asking for personal data to complete their new payroll process.
HR staff might receive requests for employee data from someone posing as a coworker. Other employees may receive fake emails that appear to be from the targeted executives with urgent requests to assist with wire transfers, direct deposit information, or gift card purchases.
Other phishing scams can involve fake emails with an attachment from a coworker who is sending a file for review. Once the attachment is opened, malware can be loaded into your company’s network.
Manufacturers can be especially vulnerable when their information technology isn’t separated between the business side that includes tools like email and accounting applications, and operations that automate and control processing systems. Most attacks originate from the business side and then take over operations.
These are just a few of the most popular business-related phishing schemes out there. There are many other types of suspicious emails, including a response for help you didn’t ask for, offers too good to be true, and requests from friends who need money because of a disaster. During the pandemic, many hackers sent emails offering updates on infection rates and access to vaccines.
Know the Signs
So how can you and your employees avoid falling victim to these phishing scams? First, slow down. Don’t immediately respond. Regard any email that urges you to click a link or download an attachment with extreme suspicion.
Look for clues as to whether the email is legitimate. Does the email address make sense? If the email says it’s from your CEO, but it has a Gmail address, chances are it’s fake. Hover your mouse over any links in the email. Does the displayed address match the destination address? If not, it’s probably phishing.
Double check the spelling of the link or email. Sometimes an extra letter is added, or the extension is cut off in hopes you don’t notice. Related to this, look carefully at the email’s spelling, grammar, and format. Does it have a generic opening such as Dear Customer? Are there errors in the text? Missing spaces? All of these should raise suspicion.
If you recognize the sender’s name but are still suspicious, check directly with that person or organization. Call them or open a new email and contact them directly. Never reply to the suspicious message. And beware of any requests for money.
Know your company’s policy on communications. Whether a credit card payment, gift card purchase, or wire transfer, always check directly with the person who supposedly sent the message. Typically, you will not be asked to provide personal information, including your login credentials through email.
Phishing attacks through email and social media can cost your company millions of dollars and put your employees and customers at risk. You can protect your company’s bottom line and reputation by teaching your employees the basic defenses. Intertek Alchemy offers training to teach your employees the basics of online security. Contact us to learn more.