Once again, it is that time of year when sugar plums are in our heads, and we've likely had too much eggnog because the scammers are starting to check all their stockings with care as they plan to put them over our collective heads. Hardly the Christmas spirit, but today I was reminded yet again of how creative these scammers are becoming as yet another scam has hit the market - this one pretending to be a note from UPS telling us our package was not delivered.
Given these scam sites are increasingly taking us, and our users, to phony websites - the purpose of which to install malware on our PCs - it is likely time to send out a notice to employees. This notice should once again remind them that the Web is a hostile place and that if they are shopping or clicking on things without thinking, they may become famous (I'm thinking of this Bridgestone commercial) at work and not in a good way as the malware spreads across the company and your address book or your ID/password, credit card or identity start to be used for things they weren't intended.
As we enter this holiday season, there are a few things employees should be reminded of again.
Passwords and IDs
No one should ever ask for an employee's password or ID either on the Web or over the phone if they are contacting you. If you are contacting them, they may need your ID to identify you, but will never need your password. Whether it is an external service or an internal site, administrators have ways to get to the data without using the user's identity. Giving out a password under any circumstances is stupid and folks should be reminded that they may be held accountable for what happens with their ID and password and that it may be really hard to determine who is really at fault.
So an inbound call or email asking for the ID should be a clear indicator that this is likely an attack and IT should be alerted.
Who Should Be Alerted
Every year I'm told of attacks that come into a company, hitting hundreds of employees before one screws up and provides the critical information. This is because the smart people who aren't tricked don't report the attack so that IT can proactively protect against it. The most painful was several years ago when an external attacker got hold of the internal email list and mailed a notification to all but executive employees that the firm was being sold and they needed to provide their banking information so that they could receive their future direct deposit paychecks. It looked official, but clearly some of the employees knew that the company wasn't being sold, yet no one flagged this to IT until well after thousands of identities were stolen and after the sites that had been set up to capture this information had been taken offline in Eastern Europe. This could have been far worse.
If an employee sees a suspicious email that appears to come from some internal organization, they need to know whom to report it to and that group needs to check each report quickly in order to make sure any phishing attack is mitigated before it can reach critical mass.
Validate Sender and Authority
Phishing attacks work because people are made to believe the attacker is someone they trust. Whenever a call or an email is received where someone is asking questions about confidential information, the person at the other end should be verified. The easiest way is to call them back from a number that is in the internal directory or in an internal address book. If the information is extremely confidential, there is a slim chance that those resources are compromised and when in doubt, suggest they go through management if the call is unusual or over email or you don't personally recognize the voice at the other end of the line. The odds that the CEO or high-level executive would call a first-line employee are slim and the request should likely come through chain of command anyway.
Given the proliferation of phishing attacks, extra care should be taken to make sure the person making the request is authorized to receive it and often it is management who can both better determine if the caller is real and whether he or she is actually authorized to get access.
Wrapping Up: Get the Sugar Plums Out of Their Heads
Our first line of defense is our employees and while it may seem a little too much like Scrooge to remind them to keep their heads in the game this holiday season, it is, unfortunately, what also may make them safer both at work and at home. It also may be nice to remind employees that their parents (AARP alert) and kids are likely to be targeted as well this holiday season and to have a chat with both groups.
In short, the more people there are prepared for an attack, the more likely these attacks will fail and the safer we all will be. Here is to hoping you and yours have a safe holiday season!