98 percent of employees claim they demonstrate either equally secure or more secure email behaviors than their colleagues. But perception is not reality.
It’s true. Of those same employees, 53 percent have received unencrypted emails containing sensitive information and 21 percent have sent confidential corporate information without encryption as reported by SilverSky.com. It is estimated that one in every 20 emails contains “risky” data – from sensitive attachments to Social Security or account numbers. The cost to companies due to careless email habits among employees is rapidly increasing, causing financial, customer and reputational loss.
Recently, email attacks from fraudsters have spread to small businesses in our area. Arming your employees with basic training and ongoing information is a starting point to combat the careless habits that may leave your business vulnerable. To this end, we present our own list of seven daily habits that any employee with a computer and Internet connection should develop.
Look closely at the domain name of the email sender when you receive a request for information or action.
You can often detect a scammer by the sender’s domain name – there’s usually a misspelling or a slight change. [email protected] and [email protected] are fraudulent. Did you find the misspelling in the first and the altered company name in the second? Our domain is parkbankonline.com. If you reply to such an email, you’ve been caught in the fraudster’s web.
Don’t click on links or open attachments from an unknown sender.
Email attachments and embedded links remain the number one means by which viruses and malware propagate. If you don’t know who sent an email, simply delete it. Even attachments from people you know could have Trojans embedded in jokes or photos sent by unsuspecting friends. When asked to take action in an email (click a link, open an attachment or provide information), it is best practice to verify the sender of the message truly sent it. Contact the sender by means other than replying to the message.
Never send or receive confidential information using email unless it is encrypted.
If fraudsters get their hands on your account numbers or login credentials, they have gained front-door access to your money and identity. Make sure your suppliers and customers aren’t sending account information to you without encrypting the message before clicking send.
Anything sent in an open email can be intercepted and potentially used against you or your contacts.
Shred customer and confidential company information.
Fraudsters are also checking your garbage and dumpsters for information they can use to personally target your customers, suppliers and employees. They are finding that this “spear phishing” is more effective than general phishing, where information on people you know is harvested for personal malware and phishing attacks using your company or name.
Use a unique phrase for your password, but don’t use straight-up dictionary or seasonal words.
“123456” and “password” remain the most popular – and the most stolen – passwords of 2015 according to Splashdata’s worst password list of 2015. “Star Wars”-related passwords like “Solo,” “Princess” and “Star Wars” all made the top 25! See the full list. According to our IT specialist, fraudsters can crack a six-character password in less than one hour, but an eight-character password will take more than eight hours to crack. Password length (including characters and spaces) is the factor found to be more difficult to crack than complexity.
Stay away from websites and links that you are unfamiliar with.
Malware can easily be embedded in malicious sites, often hidden by shortened URLs and in video files and Facebook apps. Make sure your security software is up to date and run regular malware scans, since many security suites can flag suspicious downloads to contain or prevent a breach. For advice on how to avoid unsafe online practices, read about these 17 most dangerous website threats
Use multi-factor authentication when signing into your email account.
Data breaches frequently result from lax authentication. Multi-factor authentication such as one-time passwords, phone-based validation and smart cards protect cloud-based services because they make it harder for attackers to log in with stolen credentials. Even businesses that use Gmail can set up multi-factor authentication to access company email.
This is not a comprehensive guide and is for informational purposes only. Please consult your IT professional for guidance specific to your company.