Imagine that your company has put the most robust IT security system and Incident Response Plan (IRP) in place. You’ve even gone the extra mile and purchased a Cyber Liability Insurance Policy. It’s perfect, your company is safe and all is right in the world. Cyber criminals can’t get in and your data is locked down.
Now, imagine one of your employees receives an email from a “trusted” cloud-based web application asking for a password update. They think it seems legitimate because your company asks them to update passwords regularly. The employee clicks the link and instead of actually updating their password, they just handed it to a cyber criminal who masterfully created a replica of your provider’s communications.
This is called clone phishing and believe it or not, it happens almost daily. Clone phishing occurs when a cyber criminal copies a communication and sends it from a spoofed email that is almost identical to the real one. The email can ask for things like passwords or even contain links to malicious sites.
3 best practices for preventing the “oops” moment
The program or system the cyber criminal gains access to doesn’t have to be your bank account to do major damage. Something as trivial as access to an email account could allow someone to put together the details needed to access all of your online accounts. So how do you stop it? Educate your employees. It’s time to get them into the practice of questioning data-seeking emails.
Here are three best practices they can use:
- Verify links. See a link in an email? Don’t click it until you’ve hovered over it and identified where it will be sending you.
- Verify the sender. Sure, it says it’s coming from the right place but what does the actual email address say?
- Verify the email address. Do those email addresses below look the same to you? Maybe not — look again. Spoofing an email address is as simple as replacing a letter “O” with the number “0” or typing an uppercase “I” instead of a lowercase “L.” Examples: BOSSlady1234@Iwork.com versus B0SSIady1234@lwork.com
These three quick tips can help deter cybercriminals from getting in and your data from getting out.
Reggie Dejean is the Specialty Insurance Director at Lawley, where he specializes in cybersecurity insurance, among other areas. Dejean recently spoke at a recent Partnership speaker series event about cybersecurity and how businesses can file cyber security claims and leverage legal, forensic, notification, resolution, and mitigation services in the aftermath of a cyberattack.