Phishing

Let me start with a warning: Make sure your IT department or whomever/whatever handles your IT set the controls on your company computers to disallow the downloading of any programs and to block certain Internet sites.

I’ve been working for a firm that outsourced its IT for bare bones coverage and had no one in-house with a strong IT background. Most of its computers ended up infected with trojans, worms, viruses and other malware. This could have been prevented. The company had no spyware protection on its computers and only had minimal virus protection on its computers and its server. Of course, they did not regularly back up of data according to a schedule. Nor did they periodically clean the server.

This brings me to the topic of phishing. You’ve seen them. You receive emails that seem to be from Bank of America, Chase, SunTrust, or whomever stating that the bank needs to confirm your personal data. Often the emails come from a bank that you have an account with or have done business with in the past. Of course, nearly everyone has transacted business the largest banks in some way, directly or indirectly, sometime in the relatively recent past. Thus, these emails often seem believable. But all the banks continually send emails and mailings to their customers that they would NEVER ask them to verify their information online. And they would certainly NEVER ask them to click on a link.

The other popular target is Paypal. I used to receive these often where Paypal was allegedly requesting me to verify my information or to click on the link to clear up some issue with my account. I had read the notices from Paypal that, like the banks, exhorted me NOT to click on any links or provide any information. I did highlight the link once to see what website the link directed me to. It was completely different than the website address provided in the email. Fancy that!

There’s a new one going around now for ACH transfers. If you’ve recently sent an electronic transfer or wired funds, you or your employees may think this is legitimate. It is NOT. I just had the CEO of a firm I work with inquire about one such email, asking me if we should investigate. The answer is NO! (As I told her.) If your transfer encounters a problem, no intermediary will notify you. The bank initiating the transfer will let you know there was a problem. And they won’t do it via email! They will call or fax you. This ACH transfer provided two opportunities to wreak havoc on the computer. It contained a link to click on and a document to download.

Most recently I’ve seen a number of phishing scams purporting to be the Better Business Bureau or BBB. Beware! You click on the link and a virus or trojan is unleashed on your computer to wreak all kinds of havoc. Of course the BBB is a respected entity so, just like a bank, people assume that the emails are legitimate. But the email wording seems fishy. (Is that where the term “phishing” came from? No? Oh well, just a thought.)

In September of last year, the IRS issued a statement that they were NOT sending emails asking people to verify their personal data with the IRS by clicking on a link. I saw that email and sent it to my “junk” folder. I saw the IRS’ press release warning everyone about it and re-posted that press release on my blog. People who clicked on the link in that email had a virus download to their computers. I still occasionally see phishing emails regarding the IRS. I just ignore them.

Please make your employees aware of these phishing scams. You need to protect the integrity of your data, software, computers, and servers. Because many people are not as diligent about noticing that something looks a little flaky, you must install internal controls that prevent employees from downloading files from the Internet and from accessing websites that are suspicious or known for unleashing malware. You must also ensure that spyware removal and antivirus programs reside on all company computers and on the company’s servers. (Note: Many companies with more substantial IT support such as full IT outsourcing or several in-house IT personnel keep all computers connected to the servers at all times and, as such, run all spyware and antivirus and other cleaning programs only at the server level.) Finally, the servers need to be periodically cleaned to make sure nothing broke through the firewall and took up residence.