Tuesday, February 3, 2009

Employee anti-phishing training, one scam at a time

Could your employees spot a phishing scam if they saw one? Would they know what to do if a suspicious email landed in their inbox?

Why not try what the U.S. Department of Justice (DOJ) recently put together to train their employees? Send them a test.

To train their employees on the danger of phishing scams, the DOJ designed a scam of their own and recently sent it out as a test for employees.

Michael Santo, Editor-in-Chief of RealTechNews, covered the internal scam in a recent blog post, stressing the importance of employee training to guard your company against online scams.

The DOJ's fake phishing email was written in regards to the Thrift Savings Plan (TSP), a retirement savings plan, that many civilians employed by the U.S. government and uniformed service members use. The savings plan has recently fallen victim to the economic downturn.

The email directed employees to visit a fake phishing site and asked them to enter their account information by the end of the month.

Some employees spotted the scam right away, some were warned by other employees, but it created enough worry that the TSP actually put a warning message up on their website.

Last week, Ted Shelkey, assistant director for information systems security, sent the worried employees a memo explaining that the savings plan email was a hoax and that the email was just a test.

Everyone and every business is vulnerable to a phishing attack "simply because we humans are naturally programmed to respond to things that are perceived as important to us," according to Linda Musthaler at Nework World.

If a phishing scam were to hit your company, it could cause serious damage to your bottom line including financial loss, customer data breaches, and even intellectual property theft. Because of such risk, every corporate security program should include thorough user awareness training.

“Although we have shown that we can teach people to protect themselves from phishers, even those educated users must remain vigilant and may require periodic retraining to keep up with phishers' evolving tactics,” wrote Lorrie Faith Cranor, director of the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory, in the article How to Foil “Phishing” Scams.

We’ve covered the dangers of phishing scams and how employee security training is your first line of defense in an April 2008 post. As a review, here are some tips to avoid being snared by a phishing scam at the office and at home:

  • If a message lands in your inbox asking for personal or financial information, do not reply or click on any links.
  • Don’t trust phone numbers either. Some scams involve calling a phone number to update account information. It may seem legitimate, but it’s just a part of the scam.
  • Use anti-virus and anti-spyware software, along with a firewall. Make sure they are updated regularly.
  • Never email personal or financial information.
  • Closely watch credit card and bank statements for any unauthorized purchases.
  • Call your HR department or whoever is responsible for your company’s online security at the first sign of a phishing scam and report it immediately.

Courtesy of the creative team at Common Craft, here’s a short guide to recognizing and avoiding phishing scams:

No comments:

Brought to you by www.gneil.com