Phishing attacks are as common as ever. IT teams, especially in regulated industries are struggling to contain them, but it's hard to make sure employees are doing everything they can to prevent a security breach. Your users aren't inherently as cautious as you which is why you sit in the desk surrounded by dozens of computers and piles of computer cables and they don't.
But let's say your users are cautious and heed your warnings about not opening suspicious emails on work laptops. You've trained them and they all seem to understand the risks at hand, but the problem that is often overlooked is that data security extends beyond the walls and internal network of your business.
So, why is this IT's problem? It's hard enough keeping the business infrastructure secure, but making sure that your employees are keeping themselves safe off campus is beyond your job requirements. Fair enough, but consider that it doesn't hurt to provide training to employees for how they can protect their personal data. If your users' personal information is compromised it's just one more step for hackers to infiltrate your business networks.
Below are 5 failed phishing attacks targeted towards me, my friends and my family. I have family and friends who have fallen for them and had their information used against them. The point is, you shouldn't be communicating with strangers in a way that exposes yourself.
1. The Friendly Facebook Connect Message
This scenario goes beyond Facebook and could happen on almost any social network. Last year, someone who claimed to have attended grade school with me reached out asking to connect.
The message below seemed friendly enough.
First off, it is a little weird since I do remember this person. Chances are highly likely that this person is who they say they are, but that doesn't mean I know who they are now. He could be a cybercriminal for all I know. Maybe that is pushing it, but the point is I don't know and that is an advantageous tool for a hacker.
What's worse is that Facebook would allow this connection to happen at all, but that's the nature of social media. There is a lot that happens that is out of your control, but what you can control is not responding to a message like this unless you absolutely want to reconnect. And if you did, make sure you confirm some information that only you and that individual would know about.
2. The Unexpected Call from that Person You Can't Remember
A few nights ago, I received a phone call by someone who claimed they were an old friend from my college and that they had my number in their phone. The first thing I asked, "What's your name?" They responded with a name that I didn't know or didn't remember. I don't have the greatest memory, so it could very well have been who this person was saying they were. Unfortunately for them, I read a lot about how data breaches and phishing attacks work. I didn't respond or confirm I was who they thought. I gave them a fake name and explained that I never went to that school.
I searched for the name on Facebook. Even though they attended my college when I was there, I didn't know them. I may not be good with names, but faces I do remember. Let's just say I blocked the number and I will not be reaching out to connect with this person to get a coffee. But this event got me thinking.
I assume this person who called me was phishing for information on me. Even confirming with them that I was who they thought was the first step in breaching not only my personal data, but possibly even my work. Most people use the same password to access their personal email than they do to access their work (I do not), so you can see how this can lead to a security issue for your business as well.
3. The Fake Credit Bureau That Asked for My Social
This one is probably the most popular for hackers. If a business calls you asking for your social security, then do yourself a favor and hang up. And if they call again block their number. I can't even count how many times I've been called by a number I don't know to hear someone on the other end telling me I can drop my interest rates on my credit card.
I know a few legit companies that call and ask for your social security to confirm your identity, and they are doing a serious disservice to data security. Honestly, it should be a federal crime if it isn't already. Just to rub it in, make sure you tell them that when they do call you.
Even if it is a company you do business with, tell them that you will call them back with the number you are familiar with and then go through the confirmation process. It's always safer for you to call them than for them to call you. It's actually a bit offensive that businesses haven't figured this one out yet.
4. The Free Trip to Disney World
It makes me shudder that I even need to put this one on this list, because everyone who has half a brain should know nothing good ever came from an offer for a free trip to Disney World. But common sense is not so common these days. Also for the record, I've been to Disneyland and unless you have children under 10, I would make someone pay me to go.
However, the calls keep coming in so I assume some poor shmuck is falling for this. I hope it isn't one of your employees because they probably have 50 Nigerian princes partying on your network on a daily basis.
These offers for trips to Orlando are fraudulent attempts to steal your information and even get your credit card information. These days, they should teach kids in kindergarten not to do this (heck, make it preschool), because if your kid ends up picking up your phone they might have different plans for the family vacation next month.
5. Your Mom Just Gave Your Information to a Cybercriminal
Sorry, but there isn't a single aspect of your personal life that isn't game for a cybercriminal. The worst part of it is you could do everything right to protect yourself and your closest friends and relatives could give up your information. Nothing bothers me more than this one, because you can't control it.
Help your family understand phishing scams so they can protect themselves, and yourself in the process. It only takes one piece of personal or financial information to access your accounts and maybe even your business.
I go as far as to tell everyone I know that if they call asking about me, then you don't know me. I'd rather dodge 50 innocent questions about myself than to give up one piece of information to a hacker.
This is the World We Live In
It's scary to think about, but it's not so farfetched. It just takes a short conversation with a fraudster for them to get what they need. Public records can help identify places where you have lived and people you know. When someone has just one tidbit from your past, your defenses can get lowered.
I will be the first to admit that I could have (and may in the future make) a mistake that exposes my personal information. Be on guard and remain skeptical and your bank account and even your business will thank you.