A very popular request from CEOs these days is for an employee to go buy gift cards with their own money and send them the card information. Somebody dropped the ball and the CEO doesn’t have the gift cards needed for their customer visits. Don’t worry, they’ll pay you back by the end of the day. But don’t try calling them because they are going into meetings for the next few hours. They need them urgently though, so please get it done right away.
Hopefully, you felt that was ridiculous as you were reading it. It’s a popular phishing tactic that has been in use for a while now. It seems like it shouldn’t be successful at all, but it is.
In fact, 1 in 3 employees (33%) fall for phishing attacks if they have no training. More concerning, that number goes up in the banking industry (43.5%), the insurance industry (52.3%), and consulting industry (52.2%). You know, all those people that have YOUR information.
These scams come in varying forms. It might come via text message or via email. SMS phishing, or “Smishing” as it’s been named, is one of the top current threats. The message might be that your boss might is stuck somewhere out of gas, or some other dreadful situation where they need your help.
The employee jumps to help, but the real CEO isn’t the one making the request, so at the end of the day, the employee is scammed out of their money.
Why do phishing scams like this work?
Phishing scams work because they are based on social engineering. They are designed to manipulate emotions and get you to act without thinking. Period.
It makes sense. If your boss asked you to do something, wouldn’t you comply? There is fear in not doing what your boss asks you to do. There is a desire to not let them down. Even some to be the company hero. Maybe that includes some optimism about advancing their career through this.
It could be one of those emotions or a mix of multiple. In any case, it gets the heart feeling instead of the brain thinking. Those emotions mixed with the sense of urgency lead people to not stop and check if the request is valid.
How do you avoid and protect against phishing scams?
Here are 5 key tips to help you and your team identify and avoid phishing scams.
Double Check Unusual Requests
Anything “not usual” is unusual. Maybe your boss asks for an aging report a few times a week. No big deal. If he makes that request from his personal Gmail account….that is unusual. You better double-check that. Contact the person through other means to make sure it’s legit. Even if it is, I’m sure they would be thankful that you double-checked to be sure.
Get a Second Opinion
Maybe you’re just not sure if it’s legitimate or not. Ask somebody else. Get a colleague to take a look at it, or better yet, get your IT partner to inspect it. Not only does this get another set of eyes on it, but it also makes you stop and not take immediate action, which is usually part of why the phishing attack works.
Don’t React Emotionally
That immediate action is part of how they reel you in, and that urgency is based on your emotions. Acting without thinking is what they want. Make sure you always look at messages and requests slowly. Pause and read it again objectively. You’ll likely see through their scam easily if you do that.
Your CEO messages you and wants something right now! Hold up! Ask yourself some questions before your emotions run rampant. Do you even know your CEO? Is it somebody that normally requests you to do something? Would they text you and sign their full name? Do you sign your name to text messages? Let alone your full name? See how that request now starts sounding silly once emotions are removed?
Get Training
I know, I know. We don’t want to have another “training course” that we roll our eyes at. But the numbers don’t lie. Remember that study referenced above where 1 in 3 employees falls for a scam? That 33% error rate drops to under 18% with 90 days of training. That’s no insignificant change.
Other stats show that people need the training to know what to look for, how to look for it, and what to do if they get a phishing message. But we all tend to forget and get complacent. The best training is ongoing. Be it slow continual, or periodic lessons. It keeps it front of mind and everybody on alert.
By the way, these training sessions don’t have to be boring. They can actually be fun if you gamify them and give positive reinforcement.
Check Your Security
Lastly, what does your current email security look like? What filters do you have in place? Maybe you need to strengthen them up a little bit. If you can improve how many malicious emails get caught in your filter, then your employees never even have to deal with identifying them in their email boxes. That risk is gone.
Of course, filter settings are not a one size fits all scenario. What works for your business needs to be analyzed and refined to make it tailor fit for you.
If you need any help reviewing your security settings or want training for your team, feel free to reach out for a free consultation. We can run a quick audit and show you exactly where you are strong and where you need improvement. That way you have a to-do list of how to make your business safer – no strings attached.