Gone are the days when phishing attempts were easy to identify and limited to only emails. While malicious messages are nothing new, they’re becoming more sophisticated and harder to pick out from legitimate business communications.  They are also coming at us through texts, social media chats and even phone calls.

A few simple actions with one of these messages can develop into a problem that spreads quickly across digital channels and devices, but there are things that you can do to defend against phishing attacks and resources that can help.

Vice President, Corporate Information Security Officer Jamie Neumaier knows a lot about tackling security threats. Jamie manages an information security team that works to ensure the people and systems at Erie Insurance stay as safe as possible. He answered questions about phishing scams targeting businesses and offered some useful security tips.

What is Phishing?

Phishing is malicious activity in which criminals try to gain access to user’s information, data, or devices. The goal is to get you to act without taking a moment to think, and when you do, the phishers may:

• Gain access to data and information, which they can exploit.
• Install malware on your system.
• Prompt you to reveal your personal financial information for purposes of stealing money or your identity.
• Access your email and send other malicious messages to your contacts, to exploit others.

Are Businesses Especially Vulnerable to Phishing Scams?

Yes. With more work being conducted digitally, businesses of all sizes are susceptible to attacks. Attackers also assume that small businesses do not spend a lot of money or effort on their security measures making them a potentially easier target.

Phishers can easily find your contact information online and be reasonably confident that any message they send you will be at the very least opened because you’re in a business of being responsive. The phishing messages have also grown in sophistication, so it’s easy to be convinced to visit a malicious website or download an infected file that comes in a message that looks legitimate.  If they happen to be the type of phisher to give you a call, they can be very convincing in having you follow their detailed instructions in providing them your valuable information or installing their malware.

How do You Spot a Phishing Attack?

Phishing messages that are poorly written, offer you large amounts of money or ask you for financial assistance have been common for a long time. Most of us know not to open, click or respond to these messages. As mentioned above, phishing attempts aren’t limited to emails either. Hackers now use phone numbers like your mobile number to call you and attempt to have you reveal sensitive information. They may send you text messages as well.

More recently, phishing messages are being designed to look like other emails that you might receive. They may appear to be from someone you trust like a bank, friend, software provider, retailer or vendor, but usually, the timing of the messages is unexpected.

For instance, one common technique is for a hacker to gain access to an email account through a phishing attempt, then access the account and reply to a real email conversation with a malicious link. So, when the recipient receives this email, it looks like a continuation of an earlier conversation, but it asks the recipient to download a document or enter their credentials.

How Can Phishing Attacks be Prevented?

In the course of day-to-day business between you, your employees, customers, and other consumers in general, know what you’re working on. If you receive a message, phone call or email that is unexpected or seems even just a little bit off, verify the validity of the message before taking action. Call the person who appears to have the message and ask if he or she sent it. If the answer is no, it’s a malicious message.

Other Things You Can Do:

1. Enable multi-factor authentication (MFA) services on as many things as you can, such as your email.  If you happen to fall for one of the phishers’ tricks, having this additional layer of protection significantly helps reduce their chances of taking over your email or other targeted account
2. Keep your software and devices up to date. The latest updates for Microsoft Office products, operating systems, third-party applications, such as Adobe Reader and smartphone operating systems contain patches that protect against the latest security issues.
3. Hover your cursor over a link in an email to show the URL. If it looks suspicious, don’t click on it.
4. Use a modern endpoint protection software on your devices. They’re often provided by common and well-known security brands such as McAfee and Norton. Microsoft also offers endpoint protection for Windows and other applications.  
5. Always back up your data, so that you can get back to business as quickly as possible should you fall victim to an attack. Test your backup processes periodically to ensure they are working as expected.
6. Educate your employees on good cybersecurity practices likehow to identify phishing attempts and spam messages. According to the World Economic Forum, up to 95% of cybersecurity issues can be traced to human error – so employee education is important.
7. Look at the extension on Microsoft Word attachments. Most users have updated their Microsoft products so that Word documents end with .docx. If you see the antiquated .doc extension, question it.

Also, be aware that if you’re hit with an attack, you may not know immediately, and the first indication may be that your customers receive an unexpected message from you. Unfortunately, a customer calling to verify something you sent (but didn’t intend to) could be when you know you’ve been affected.

If customers call asking if a message is legitimate, and after you confirm whether you sent that email, offer them the same advice you use in your own business operations.

• Did the customer expect to get that email?
• Does the link or URL direct to a legitimate, expected website address?
• Does it ask them to open a suspicious document that they didn’t expect?
• Does it ask them for the user ID and password threatening to take away or disable their access?

Answering those questions can help you both determine whether the message is safe.

Phishing is continuously changing and evolving as perpetrators adopt new techniques and forms, so it’s essential to have a good security plan in place and watch out for emerging attacks to help protect your business. A well-trained team that knows how to spot a suspicious message can also be a great defense against phishing attacks by enabling them to respond to an attack instead of just reacting with a quick action.

The Right Protection for Your Business

Contact a trusted insurance advisor like an ERIE agent to learn about some of the smart and affordable ways to protect your business. For instance, Cyber Suite from ERIE1 can help you overcome an incident in which your customers’ or employees’ nonpublic, personal information is compromised and you have to notify them of the breach. It may be purchased and added to a business insurance policy. 

1Cyber Suite is only available to Customers with an ErieSecure Business® policy. Cyber Suite coverage and associated services reinsured under an arrangement with the Hartford Steam Boiler (Home Office: Hartford, Connecticut). © 2021 The Hartford Steam Boiler Inspection and Insurance Company (“HSB”). All rights reserved. This document is intended for informational purposes only and does not modify or invalidate any of the terms or conditions of the policy and endorsements. For specific terms and conditions, please refer to the coverage form. Coverage not available in New York.