How to prevent employees from being scammed around the holidays

Around the Black Friday and Cyber Monday weekend, employees will undoubtedly be distracted by looking for the latest bargains offered by retail stores both online and in-store. However, due to the ongoing effects of the pandemic, many employees are most likely to be shopping online. This weekend is also an opportunity for many employees to do their Christmas shopping ahead of time.

Unfortunately, this shopping weekend is a lucrative opportunity for cybercriminals to target shoppers, who may fall into the trap of phishing and social engineering scams. According to Kaspersky, online payment fraud surged by 208% between September and October 2021, with 1,935,905 financial phishing attacks disguised as e-payment systems during October.

With many employees also using company devices for personal use, organisations must remind employees on best practices for staying safe and secure online.

Top tips to advise employees:

1) Remind employees of stringent IT policies

Employees must be reminded to follow stringent IT policies, compliance, and to avoid using company-owned devices for personal purchases. While it can be tempting to keep an eye on bargains whilst working, employees should not be doing this on their work laptops or phones, even during break times.

2) Shop smartly

Tell employees to use only trusted websites to shop and use credit cards for payments over a secure connection – remember to check the website starts with “https://”. Don’t forget to monitor bank accounts for any suspicious activity, so banks can be alerted at once if scammers do manage to infiltrate bank accounts.

3) Be aware of phishing scams

Employees need to watch out for phishing and social engineering scams targeting shoppers with bargain prices – always triple check any URLs before clicking on them by hovering over the link. Support employees with phishing awareness training and check their alertness with our phishing simulation tool to truly understand if employees know how to spot a scam.

4) Remember good password hygiene

When logging into accounts for each online retail store, educate employees to use a solid, unique password for each one. Make sure the password contains a minimum of eight characters, a mix of upper- and lower-case letters, numbers and symbols. Good password hygiene will help reduce the likelihood of details being compromised in a data breach.

5) Use added security barriers such as 2FA & MFA

Where possible, teach employees to use two-factor or multi-factor authentication to log into accounts to prevent others from accessing your accounts. If a password has been compromised or cracked by a cyber-criminal, multi-factor authentication requires the hacker to bypass the one-time password, which is usually a code sent via email or text to your number. This second barrier to entry makes it harder for hackers to get it and make purchases on the account.

6) Don’t fall for gimmicks

Employees must remain cautious of ads and prize contests, (which are rife during this period) looking to pull and sell consumer information to third parties. Remind them to not click on anything they don’t trust and appears too good to be true. If in doubt, always check the URL domain.

7) Finally, don’t forget overall device security

It’s vital to keep security updated on all devices, including laptops, tablets and smartphones. Remind employees to use anti-virus software and backup all files. With IT vulnerabilities constantly appearing, employees must continuously update their devices when prompted or told by IT.

Get in touch today to talk to us about how our collection of Information Security Courses can help prevent your employees from being scammed around the holidays and further strengthen your organisation’s cybersecurity risk.

How to spot a phishing email

According to Verizon’s latest report, 36% of breaches involved phishing attacks, an increase of 11% in comparison to the previous year. Due to the pandemic and more employees working remotely, cyberattackers have used this to increase their phishing campaigns to organisations and their employees. All it takes is for one employee to click on a link in a phishing email for them or the organisation to fall victim.

That is why organisations must support their employees with cybersecurity awareness training and helping their employees understand cybersecurity foundations such as how to spot a phishing email. In this blog, we share some top tips on how your employees can spot a phishing email, helping to strengthen your organisation with its cybersecurity strategy.

1 – Check the email address of the sender

If you spot an email and the display name looks familiar or from a brand you trust, it doesn’t mean it is them. Be sure to check the actual email address is from a trusted sender. Phishing scams impersonate a person or a company you trust, e.g., TV licence phishing, Amazon phishing or more recently Covid-related phishing.

Sometimes a phishing email may come from an address such as [email protected] or [email protected] – trusted senders would not send it from a generic email such as Hotmail, Gmail or Yahoo!, instead a verified email would be from their domain name. In the second instance, having a domain name that looks similar, but is slightly misspelt, is another way of fooling you into believing they are a trusted source.

2 – Detect spelling and grammar errors

While this may sound strange, spam emails often have spelling mistakes or grammatical errors. Cyberattackers really aren’t worried if their spelling or grammar is correct.

Read the email thoroughly and be suspicious of any errors. If the email is poorly written, then it’s not from the company they are impersonating. If in doubt, always forward the email to your IT team. But NEVER follow through on the actions requested in the email.

Image

3 – Beware of how the email sender greets you

Is the email greeting impersonal? E.g. Dear reader, Hello Sir/Madam. Or perhaps it fails to recognise your name entirely, e.g., Hi [first name]?

If a trusted source is emailing you, e.g. your bank, they will address you personally. Don’t fall for the trick, mark the email as spam and delete the email. Even better, forward it to your IT team, so they can warn everyone in your organisation of phishing scams targeting your organisation.

4 – Do not share personal information

Are you asked for personal information such as your bank details or security details? Remember, genuine companies such as your bank will NEVER ask you to confirm that over email. They already know that information. Don’t share anything.

5 – Do not click on suspicious links or attachments

Cyberattackers love luring in their victims through links, for example, “validate your email address or account”. Always hover over a link to check the linking URL, if it looks suspicious or doesn’t link to what the rest of the email says – don’t click on it! The same goes for attachments, if you’re not expecting an email with an attachment and if the email is out of context – then don’t open it!

Phishing emails are there to incite curiosity or panic to get hold of a vulnerable employee who will open your organisation to the cyberattacker. It’s important to continuously remind and educate staff throughout the year with phishing training and other cybersecurity awareness training to ensure everyone stays alert on what to look out for, so they don’t get caught.

Organisations can use a phishing simulator tool to increase the security awareness of their employees. By regularly testing employees, organisations can ensure they remain alert, asking themselves if an email is legitimate or spam. Using this technique also helps L&D and security teams understand who in the organisation might need some extra training or support.