Retailers must take steps to protect themselves
The majority of people probably won’t be familiar with the term phishing, but more than likely they will have been subjected to it.
By Paul Vlissidis, technical director at NCC Group
Phishing is fraud. Through phishing attacks, criminals attempt to obtain users’ details, which can then be used to access confidential information, steal money or open new accounts in the victim’s name.
Read On:
Mobile Fraud
Fraud and the law
Online fraud: what exactly is it?
Attacks come in the form of emails from a seemingly trusted source. They’ll often ask users to download malicious attachments or direct them to websites that appear to be official but are in fact replicas, making the attacks difficult to defend against.
For example, you might get an email from your bank, informing you that your account has been locked, and asking for your log in details in order to confirm your identity.
Phishing is a big issue for retail organisations. Once a hacker tricks your employee, they could gain access your wider systems.
But retailers can take steps to protect themselves:
Disable live links in emails
Most of the time a phishing attack will aim to get an unsuspecting user to click a link in an email. This might take you to a website that asks for your personal details, or even download malicious malware straight onto your device.
Disabling live links in emails means staff can’t simply click a link without pasting it into a browser, giving users a chance to see if the URL is what they’d expect it to be.
Educate staff
Phishing preys on staff naivety, so one of the more successful defences is staff education.
Specialist independent firms offer training exercises that show staff the typical signs to look out for (such as bad spelling and grammar), while advising them on what to do when they think they’ve been targeted.
Another technique is to target employees with fake phishing emails and monitor clickthroughs. Those who take the bait can be given extra training.
Whitelist websites
Many phishing attacks involve a user visiting a website that looks familiar and official, but is in fact an imitation with a slightly different URL.
To counter this, retailers should opt for a whitelisting approach where employees only have access to certain sites, ensuring they can’t reach malicious sites without authorisation. The level of access should be given on a case-by-case basis – those with access to sensitive data, such as the finance department, may not merit full access.
Use mail filtering
Email filtering is improving, and many providers can weed out phishing emails before they reach email inboxes. It’s a good first layer of defence that stops most attacks in their tracks before they can start causing damage.
Encourage mobile apps and bookmarking
As well as phishing that targets employees, retailers must be aware of hackers using their brand to target unsuspecting customers too.
One of the reasons phishing tricks users is because they are used to receiving email correspondence from that company or visiting a specific website. Therefore one alternative is to switch to contacting and reaching customers through different means, such as a mobile app, in order to break the browser habit.
Alternatively, encourage users to bookmark your website so they always visit the correct, safe version.
Promote reporting
It’s important to promote a culture where employees are comfortable reporting suspicious web links to the IT or security department – even if they have supplied details or downloaded an attachment. There needs to be an understanding that there won’t be punitive action if they’ve made a mistake.
An IT department that knows a breach has taken place is in a better position to rectify the situation than one which has no idea what’s gone on.
For more, visit: www.nccgroup.com
Speak Your Mind