Your enterprise resource planning (ERP) system holds sensitive corporate information including customer data, employee records, financial statement and more. Given the importance of these data, taking action to secure it from phishing attempts is a critical piece of maintaining the health of your business. In fact, nearly every significant corporate data breach over the past few years has been a result of phishing.
Almost everyone is vulnerable to a well-orchestrated phishing attack simply because we humans are naturally programmed to respond to things that are important to us. Corporate users are just as susceptible to phishing attacks as consumers, and the stakes may be higher. A corporate phishing scam attacking your enterprise resource planning system could cause direct financial loss, customer data breaches, or the theft of intellectual property.
What is phishing?
Phishing is a fraudulent attempt, usually through email, to steal your personal information. But, phishers don’t just use email, they also use social media and phone calls. Often, phishing attempts appear to come from sites, services, and companies with which you do business. In order for Internet criminals to successfully “phish” your personal information, they must get you to go to a fraudulent website. Phishing emails almost always tell you to click on a link that takes you to where your personal information—such as credit card number, social security number, account number, or password—is collected. Legitimate organizations would never request this information via email.
We live in a digital age and gathering information about individuals in corporations has become much easier. Spear phishing is a targeted attack in which a hacker will research an intended target (often using social media) and include highly relevant details in an email that makes it more credible. It’s no longer enough to watch out for crudely worded emails. In fact, many fraudulent attempts, called whaling, are made on high-level managers—the really big fish. According to a security researcher, for just one e-mail scam, there were two thousand victims of this type of phishing attack. (Read more in this New York Times article.)
Types of phishing:
- DNS-based phishing compromises your host files or domain names and directs your customers to a false webpage to enter their personal information or payment details.
- Content-injection phishing is associated with criminal content, such as code or images, being added to your website to capture personal information from your staff and customers such as login details. This type of phishing often targets individuals that use the same password across different websites.
- Man-in-the-middle phishing involves criminals placing themselves between your company’s website and your customer. This allows them to capture all the information your customer enters such as personal information and credit card details.
- Telephone phishing is attempting to obtain company information over the phone by impersonating a known entity such as a company vendor or IT department.
- E-mail phishing includes several different ways to get employees or customers to click on a false link.
- Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
- Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information.
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information.
How to protect your company from phishing:
Phishing plays on human vulnerabilities and is not strictly a technological problem. Your employees are the best channel through which to detect, report, and defend against phishing attacks. The first step is training, because the best way to protect yourself from phishing is to recognize a phish. Users need to be educated on the types of phishing attacks so that they can recognize them. Because this training is so important, it is best if you move training from a boring, annual presentation or online training that can be done while the employee is eating lunch or surfing the web. Instead, try mock phishing emails with immediate feedback if employees click on the links. Although we can teach people to protect themselves from phishers, even educated users must remain vigilant and may require periodic retraining to keep up with evolving phishing tactics. For training suggestions, read One Step to Keeping Your ERP Software Data Secure.
It is also important to put procedures in place so that employees can quickly and easily report a phishing attack. Once it has been reported, the details can be communicated so that others can be on guard.
If you are experiencing business challenges, whether security, inefficiency, or other issues, contact us. Emerald TC can provide you with ongoing support and consulting for your enterprise resource planning software.