Don’t get tricked into compromising your data
We would all like to think that we could never be fooled by a email scammer, but these cybercriminals are as sophisticated as they’ve ever been, and their scams compromise sensitive data in volume. Here are a few of the ways these attackers try to gain access to your data — and what you can do to avoid them.
Sophisticated email phishing
Everyone has heard of the low-sophistication letters from foreign princes in search of a temporary home for their fortunes, but most people underestimate how far these scams have come. Many scammers can send decent dupes that look like normal emails from colleagues or friends, asking for sensitive information in language that passes the “uncanny valley” test. These emails are also often highly targeted toward certain people within an organization — and written in such a way that they might reply without a second thought.
In 2016, a scammer posed as Snapchat CEO Evan Spiegel and convinced an employee to reveal sensitive employee data.1 It took four hours — a lifetime in the cybersecurity world — for Snapchat to recognize the attack. To ensure something like this never happened again, the company beefed up security protocols and employee cybersecurity training.
The most important thing to remember when opening or replying to emails is to always remain skeptical of any sender who is requesting sensitive or private information. If you’re doubtful, make a quick phone call or send a text and double-check. If it’s a bogus email, immediately report it to your IT department so they can be aware and look for fixes.
Sketchy links and attachments
This is where it really starts to get tricky. Because colleagues regularly share documents and links, it may seem counterproductive to be skeptical of these emails. However, any unexpected document sent without prior planning should be examined closely.
Last year, several people fell victim to the Google Doc scam when a seemingly innocuous link was sent to emails everywhere. Scammers were able to gain control of emails and lock people out. Take a moment and think about how many other accounts you have that send password reset instructions to your email. One click can compromise you in ways that are unimaginable.
To protect your employees, this is where it really pays off to have a nomenclature system for naming files internally so employees can know at a glance if a file is a legitimate file. The same goes for link-sharing. You should never click on a link that isn’t pasted in full in the email, and never click on a link in an email you weren’t anticipating.
Personal emails at work
Email scammers can sometimes use the personal emails of your friends and colleagues as a means to access work data, and you might not think twice about a college buddy or your mom sending you a link to something funny on the internet. But these emails frequently trick users by appealing to emotions, the most convincing among them gaining access to private information by claiming to be protecting it.
The easiest rule to apply in this situation is, of course, to leave work emails at work and never open anything from home while at work. Again, these should not only be deleted but reported to IT if you think you’ve received one or were convinced to click on a link in the email.
Access through personal devices
Employees are using personal mobile devices in the workplace more now than ever before, and IT departments need to be most aware of the ways in which each of these devices is vulnerable. But the most vulnerable device is the human mind, and these scammers can use apps like GIF keyboards and other innocuous applications to gain access to private data.
One effective workaround for this is to require employees to access their internal data through a virtual private network (VPN) app in order to ensure the security of their private information. What matters is ensuring that employees cannot directly access internal data on unsecured networks through their personal devices.
Remind your employees that they’re vulnerable to these kinds of scams early and often, as no spam filter works as effectively as a keen set of human eyes and sharp reasoning skills. When in doubt, there’s nothing wrong with giving someone a call or text to make sure they’re intending to send documents. And if you get fooled, don’t be embarrassed — just report the incident to your IT department as soon as possible.
Related topic: Disaster Recovery Plan