As the business world increasingly relies on technology, cyber-attacks and scams are becoming more prevalent. There are many opportunities for hackers to gain access to and exploit confidential information. One cyber security threat that can affect businesses, nonprofits, and individuals alike, is commonly referred to as Phishing. Phishing is the attempt to gather sensitive information such as user names, passwords, bank account details, or other sensitive information, by masquerading as a trustworthy entity through e-mail. This scam can be extremely subtle; will you and your colleagues be ready to identify such a scam?
Phishing scams can be classified into two categories: spear phishing and whaling.
- Spear Phishing: A phishing attack directed at specific individuals, roles or organizations. A hacker who is spear phishing may go to great lengths to gather specific personal or institutional information to make the scam more believable.
- Whaling: A phishing attack directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Establishing sound internal controls is an organization’s best defense against phishing attempts.
Ways to protect against phishing may include the following:
Securely discard information: Shredding or deleting information that can be used in such an
attack is a solid tactic toward protecting the information from being divulged.
Have a skeptical mindset: Hackers can gain access to personal information that may be easily
obtainable, such as: your birthday, where you bank, or your title at work. Although an e-mail may
contain some of your personal information, it is not necessarily a credible source. Question
information or payment requests received in e-mails.
Ask around / investigate: If you receive an e-mail from an unknown source that appears credible or even an e-mail from an address that you believe to be accurate, think about what the e-mail is trying to get you to do, who the e-mail is from, and if the act seems realistic or appropriate. When in doubt or unsure, investigate. Follow up with the source directly by contacting over the phone and questioning. Inquire of others within the organization to determine appropriateness of the task or request.
Set an entity wide policy: Set, and strongly enforce, an internet and e-mail policy that restricts individuals from e-mailing unsecured documents containing proprietary information including: personal information, passwords, banking information, social security numbers, etc. Most importantly, your policy should have a protocol to respond to requests for large deposits or transfers.
Education: Stay current on new phishing scams and fraud attempts occurring in your area or in your industry. Communicate what you’ve learned within your organization. Being informed and alert can be your best defense against these scams.
For additional information about safeguarding your organization against phishing attempts and other fraud scams, contact Kristi Yanover, Audit Partner, at email@example.com, or any member of our Accounting & Assurance Team. We would be pleased to assist you in protecting your assets through risk assessment, policy development and internal control design.