Companies that must comply with the EU’s General Data Protection Regulation (GDPR) have been busy emailing customers with information about updated privacy policies, consent forms, and other GDPR topics. These companies are not the only ones sending GDPR-related emails, though. In May 2018, security researchers discovered that hackers were distributing GDPR phishing emails designed to trick people into entering the kinds of data that the regulation protects.
How to Protect Your Business
Phishing attacks like the Airbnb scam are not going away any time soon since hackers have successfully used them to steal money, obtain credentials, and spread malware. Thus, you need a strategy to protect your business from these attacks. You might consider using a strategy that is based on three lines of defense.
The First Line of Defense
The first line of defense is your email filtering tools and security software. By keeping them up-to-date, fewer phishing emails will reach employees. You also need to make sure that your security software is on every computing device in your business, including smartphones.
The Second Line of Defense
Email filtering tools and security software won’t catch every phishing email, so the next layer of defense is your employees. You should educate them about phishing emails. Besides warning them about the dangers of clicking links and opening attachments in emails, you should teach them how to spot phishing scams. Elements to look for include:
- A deceptive email address. Phishing emails often include a deceptive email address in the “From” field. For example, in the GDPR phishing email, the Airbnb email address was “@mail.airbnb.work” and not a real Airbnb address.
- A request for personal information. If an email asks recipients to enter a password, credit card number, bank account number, or other sensitive information, it is most likely a scam. In the Airbnb phishing scam, recipients were asked to enter their account credentials and payment card information. The email sent out by the real Airbnb did not ask customers to enter any personal information.
The Third Line of Defense
The third line of defense is to take a few preemptive measures in case an employee falls for a phishing scam, despite your best efforts to prevent it. You can help mitigate the effects of a successful phishing attack by:
- Using a unique strong password for each business account. As the Airbnb scam illustrates, obtaining login credentials is the goal of many phishing scams. Once cybercriminals get the password for one account, they will try to use that password (or a similar version of it) to access other accounts because hackers know that people like to reuse passwords. If you use a unique strong password for each business account, cybercriminals will not be able to use the compromised password to access other accounts.
- Keeping operating systems and applications up-to-date. Hackers often exploit known vulnerabilities in software to install malware. By making sure your software has the latest security patches, you might be able to stop a malicious program that was released by a successful phishing attack.
- Performing backups regularly and making sure they can be successfully restored. Backups can save the day if an employee falls for a scam that unleashes ransomware. You will be able to restore your data and systems from backups taken before the attack.
What’s Your Strategy?
Although developing a strategy to protect your business from phishing attacks takes some effort, it is important to have one. Using the three lines of defense presented here is a good starting point. We can help you create and then implement a strategy tailored to your company’s needs.