IT Trends Archives - Page 6 of 6 - Montra Technologies

Phishing in the Workplace: 3 Attacks and 3 Ways to Protect Yourself

About the time most people learn how to spell phishing, they realize that it is an email-based social engineering tactic to get access to a user’s account or financial information. It probably won’t come as a surprise that phishing is now fairly common on LinkedIn and Text.

No matter whether it is email, LinkedIn, or text, the tactics the scammers use are consistent. Here are three of the most common tactics being used by scammers today:

1. Fake Messages from the “Boss”

This is a particularly insidious and effective tactic. A message is sent via email/text/LinkedIn to the user with an urgent request to contact them from the CEO, CFO, or other high-ranking employees at the company. The scammer typically uses more targeted language in the messages that applies to the business to make the attack more effective. This is typically called a spear-phishing attack because of its more targeted nature.

2. Fake Tech Support Messages

Some phishers try to mimic the IT support staff rather than an executive to get people to engage. The focus of this type of attack is to get the target to give up their credentials to important company accounts. The attacks usually start with something like “Important Alert: Your Account Has Been Hacked”. The user will then be instructed to click on a link to reset their password and/or give up other important information. The links will always go to fake sites that will not match the company name or name of the software that has been supposed hacked.

3. Fake Contact Requests

This is used most often on social platforms like LinkedIn, but it is seen on email and text also. When a fake LinkedIn request comes via email, the link embedded in the email will go to a nefarious site that can load malware or ask for login information. We are often excited to receive a request that might lead to new business, so these attacks are particularly effective on sales and finance staff.

These are just a few examples, and it is important to know that the types of phishing attacks and the format by which employees are targeted in the workplace continue to expand. Regardless, there are some basic tactics that apply across email, text or LinkedIn. Here are three ways to keep yourself from getting “social engineered” by one of these attacks:

1. Look at the Sender Information

Whether in email, text, or LinkedIn, the sender’s information will look wrong. Most sending info will have the right name with the incorrect email like:

Boss Lady <badactor234@gmail.com>

In the case of LinkedIn, you need to look at their profile picture, name, and work history. The picture will typically be pulled from publicly available photos and the work history will be very limited.

2. Look for Poor Grammar and Terminology

While the sophistication of attacks continues to improve, it is difficult to completely mimic a message from a boss, customer, or colleague. If the fake sender is using the term “customer” when you know the real sender always says “client”, you should be concerned.

“Hey, send me your phone number. I have some important work for you”

Also, if they send an email to ask for your phone number, you need to think whether that fits with how they would really interact with you. Once they ask for your phone number, and they text you rather than call you then it is 100% a scam.

3. Reach out Separately or Just Don’t Respond

In most workplace phishing attacks, you have alternate ways to communicate with the supposed sender. If you are concerned, reach out to them by a different method – phone call or Slack – and see if that is really them. If you do not have another way to verify the information, and you are not certain if it is legitimate then ‘do nothing’ is not a bad option.

“John, I just received a strange email message that is supposedly from you. Did you just send me something?”

If the scammer is trying to create a false sense of urgency for the boss or a customer, this is difficult to do. Just remember, though, if it is really an emergency – even in today’s world – they will call you. If it is a social network connection request, just login to the service separately and view the request there rather than clicking the email link.

There is a lot more your company can do to help including using email filters and text blockers on company accounts and providing cybersecurity training on an annual basis. In fact, for many companies, these actions are required for them to follow industry cybersecurity regulations. If you aren’t certain what tools are available to you, reach out to your company’s IT staff or service provider. They will be happy to help you stay safe!

CMMC Compliance Infographic

CMMC & Cloud Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness. CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher. Click to download our infographic to learn more.

Download Infographic

5 Reasons Why Employee Information Management is Hard

1. HR, Finance and IT All keep their own Databases

Employee information is kept by many groups within a company. It starts with information gathered by HR during the recruiting and hiring process. Finance also maintains employee information for payroll or equity information, and IT keeps employee information for user credentials for email, single sign-on (SSO), employee notifications, and other core IT services. These groups all maintain their employee information for different reasons and in different systems.

Most of the information, though, is redundant and often incomplete. This quickly leads to a drift in information accuracy as the information in the systems are inevitably not maintained in the same way and same time.

2. The data is sensitive to store and access

Employee information is inherently sensitive and private, whether it is medical, financial, phone numbers, personal email, or home address. Employees expect a certain level of privacy in the way their information is handled by their employer. If the data is not stored and shared properly, this can lead to an unhappy employee at best and a legal and financial issue at worst.

3. No Single Group Owns Employee Information

Like a lot of information of other types within a company, no one completely “owns” employee information. HR is the logical owner of a lot of employee information, but IT is usually information security so it owns employee credentials to all or most systems and applications within the company. Similarly, finance also maintains sensitive stock ownership information that logically belongs with them. This creates complexity in how and where employee data is maintained. Mobile numbers and personal emails, for instance, are typically stored in every system that asks for employee information. When conflicts inevitably arise, which data is correct?

4. Employee information changes rapidly

Every time an employee moves, changes banks, changes their personal email, works on a new customer, gains a new certification or skill – their information changes. As employees come and go from a company, their information needs to be added and removed also. The number of small changes per employee and across all employees adds up quickly and different systems get of out sync rapidly. Traditional approaches create multiple portals or web forms for “Change of Address”, “Bank Change”, “Password change” – employees get overwhelmed with too many places to update the same information and usually only update what is easy and necessary.

5. Regulations and compliance are tough to navigate

There are a number of other regulations that govern employee data including the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act, the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA). Most people think of General Data Privacy Regulation (GDPR) and California Consumer Privacy Act (CCPA) are privacy regulations for consumer data but they apply to employee data also. There are also regulations covering employee data privacy that are in the law-making process in state governments across the U.S. Tracking these regulations and implementing the information systems that follow the regulations puts tremendous pressure on updating all the disparate systems and services used by a company.

What to do?

Companies need to declare an owner of the employee information repository and the rules for which groups have access to what parts of the repository data. This reduces the cost complexity of maintaining the information and can enable the ROI of applications that are important but hard to justify – such as an employee mass notification system.

Technically, implementing a hybrid integration layer (HIL) that consolidates data and applies dynamic transformations and security policies provides the basic infrastructure needed to put the company policies and processes into operation. An effective implementation includes connectors to all the systems used by HR, IT, finance, and any other group using the employee information. It also should provide the capability for employees to review and update their own information, while also enabling others within the company to securely and privately access data to enable better collaboration and information sharing across the company.