Friday, December 7, 2018

Phishing Attacks Dos and Don’ts for Employees


Phishing is a fake email, text or social media message with the intent of having you click on a link or open an attachment. By doing so, the criminals are hoping to get you to change your password so they can access your information, get into your computer to find your financial information, or infect your phone, tablet or smartphone with malicious software allowing them to see everything you do.

Dos

  1. Do ask yourself if the email is from someone you know, or if the subject line is odd or suspect.
  2. Do check email content for spelling and grammar mistakes if you feel the email is suspicious.
  3. Do ask yourself if you were expecting a new document or zip file.
  4. Do delete any suspicious emails from your inbox and then from your deleted folder.
  5. Do verify the legitimacy of requests or sources. Look up the company contact information from which the email, text or call claims to be. Then call the company yourself to verify that the email or text is legitimate. If you suspect a credit card scam, hang up with the caller and dial the toll-free number on the back of your credit card to verify the call.
  6. Do participate in up-to-date security training sessions within the com.
  7. Do scan files, received as attachments, for viruses before opening them. "This can be accomplished by going to the downloads folder, right clicking on the file and then choosing 'scan for viruses'".
  8. Do report phishing scams / any suspicious emails to information security department of your organization.

Don’ts

  1. Don’t open suspicious emails claiming to be from Ceylinco Life, any other financial institution, from your friend or other trustworthy organization if you are not expecting them. Common phishing phrases include “verify your account,” “Dear Valued Customer,” “within the next 48 hours,” “click this link” and “open this attachment.”
  2. Don’t click on a link from an email or open an attachment that you're unfamiliar with or even if it’s from someone you know. If you weren’t expecting grandma to send you an email containing your bank statements, for instance, ask her if she did send you something before opening it.
  3. Don’t click on a link or attachments in suspicious emails with grammar and spelling mistakes. Phishing emails are known to contain spelling mistakes and bad grammar; threats; attachments with incorrect or suspicious filenames or extensions (e.g., .zip, .exe, .vbs, .bin, .com, .pif or .zzx); and links for unexpected e-cards, tracking for unknown packages, pictures or videos.
  4. Don’t click — only hover your mouse over — links in suspicious emails to see the real web address. If it doesn’t match the link typed in the message where the email says it will take you, it could lead you to a malicious website or a malicious file as an attachment, which will spread malicious software on your computer. Even if the links match, it’s better not to click links in emails unless you’re absolutely certain it comes from a reliable source.
  5. Don’t provide any personal information (i.e., login, account information, date of birth, social security number, etc.) via email, phone, text or social messages.
  6. Don’t visit websites that contain pirated information. When browsing websites, don’t visit or download files from suspicious websites. If downloading a file, always download it from the vendor’s or author’s website. This will eliminate the chances of getting pirated software.

Clues to Identify Phishing Scams

There are clues that a message is an attack. Here are the most common ones:

  1. A message asking you to click a link to view a statement (often a bank statement, for example).
  2. A tremendous sense of urgency that demands “immediate action” before something bad happens, like threatening to close an account or send you to jail. The attacker wants to rush you into making a mistake. For example, your bank account has been frozen and you need to click the link immediately to rectify the situation.
  3. Pressuring you to bypass or ignore your policies or procedures at work.
  4. A text message with a link telling you your account has been compromised.
  5. Your refund awaits or there's money waiting for you from a lottery or other source. The fraudster is asking you to visit a fraudulent website, click on an attachment or wire money to receive a cash prize (that never arrives).
  6. A generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.
  7. Requesting highly sensitive information, such as your credit card number, password, or any other information that a legitimate sender should already know.
  8. The message says it comes from an official organization, but has poor grammar or spelling or uses a personal email address like @gmail.com.
  9. The message comes from an official email (such as your boss) but has a Reply-To address going to someone’s personal email account.
  10. A funny joke from what seems like a friend or coworker that conceals a malicious link or attachment.
  11. You receive a message from someone you know, but the tone or wording just does not sound like him or her.

Cybersecurity Dos and Don'ts Your Employees Should Follow


DO:Check Mark

  1. Use care when entering passwords in front of others
  2. Create and maintain strong passwords and change them every 60-90 days (We recommend a combination of lowercase & uppercase letters and special characters)
  3. Change your password immediately if you suspect that it has been compromised
  4. Report suspicious activity to the IT team/CSIRT to help minimize cyber risks
  5. Protect personal computers and devices with anti-virus/anti-malware software when working remotely, and keep it current

DO NOT:

  1. Allow others to use your login ID or password
  2. Use the same password for every applicationX Mark
  3. Store passwords on a piece of paper or other easily accessible document
  4. Open email or attachments if the sender is unknown or suspicious
  5. ​Get caught by phishing attempts, which can occur via email, phone, instant message, SMS or social media
  6. Provide information such as login IDs, passwords, social security numbers, account numbers, etc. via unencrypted email
  7. Leave your laptop or mobile device unattended while in a public place. Lost or stolen equipment, including mobile devices connected to corporate network, should be reported immediately
  8. Keep open files containing personal or confidential information on your desks or in an unlocked file cabinet when away from your office/desk
  9. Install unauthorized programs on your work (or home) computer
  10. Plug in personal devices without permission from IT