Army brats like me grew up around the word “readiness.” We knew it meant weeks or even months of a parent away on deployment, training for “What if . . .” scenarios. One of the reasons so many veterans have made the successful transition to entrepreneurship is that they continue to put readiness first. A recent FTC proposed settlement serves as a reminder to veterans who own businesses – and to all business executives – about the ongoing threats to sensitive customer and employee information posed by phishing. The best defense: readiness.
Phishing scammers typically contact employees via email, text, or telephone and induce them to click a link, download a file, or reveal confidential information. Their goal is to install malware or otherwise gain access to your digital assets. In that recent case, the FTC alleged that an educational technology company’s lax security practices resulted in multiple data breaches, leading to the misappropriation of personal information about millions of consumers. One interesting aspect of the case is the allegation that the data thieves went through the digital front door by getting employees – including some senior executives – to take the bait on phishing scams. The complaint further charged that for a long stretch of time, the company “did not require employees to complete any data security training, including identifying and appropriately responding to phishing attacks.”
Phishing has been around for years – the FTC’s first phishing-related case was in 2004 – but the disturbing news is that both old-school methods and more sophisticated attacks continue to succeed. The FTC has steps you can take to help protect your company from phishing fraud.
Implement company-wide training. If a person is on your roster in any capacity, add them to your data security training list. In the FTC’s experience, scammers view everyone as potential targets – including interns, seasonal temps, contractors, and even people who don’t routinely use sensitive data. Furthermore, no one is too important for training. As the FTC’s recent case demonstrates, scammers don’t stop at the C Suite door and training shouldn’t either.
Schedule regular refreshers. Training isn’t a one-and-done box to check off your TO DO list. Your business operations probably change with some frequency and so do the threats you must defend against. But we’ve all had to sit through in-house lectures that call to mind the “Whaa Whaa Whaa” sound effect when grown-ups talk on the “Peanuts” specials. The key is to keep the content fresh and engaging with IRL stories, headline news, and other attention grabbers.
Look for tell-tale signs of phishing. There’s no 100% accurate test to tell if a message is a phishing scam, but certain characteristics can be a tip-off – for example, misspellings or grammar mistakes; demands for gift cards, wire transfers, or cryptocurrency; directions to click links or download attachments; or wording that sounds just plain weird. (One email we received recently: “It is utmost essential for all laborers to under take following manditory steps.”)
Commend employees for developing a skeptical eye. “Is that really a message from the boss telling me to wire money or send a confidential spreadsheet?” “The caller said they were from Tech Support, but is that true?” “The email says it’s a link to our new company communications platform. Should I should click on it?” Encourage your staff to take a moment to think through unexpected emails, texts, or calls. Even if it turns out to be a genuine request, if their gut suggests that phishing could be afoot, applaud employees who take the time to investigate.
Keep your defenses up during remote work. Double-checking was easier when it was a matter of walking down the hall to see if a request was on the level. But that’s not possible with remote workers or business travelers. Encourage your team to pick up the phone and call a number they know to be legitimate to determine if a message is a bona fide business communication or a phishing attempt.
Our best advice for veterans who own businesses borrows a watchword from the United States Coast Guard: Semper Paratus (Always Ready). Anticipate threats to sensitive data in your possession and train your employees on how to spot scammers trying to infiltrate your defenses. The FTC’s Cybersecurity for Small Business resources include a segment on protecting your company from phishing scams. For information about personal financial readiness and other topics compiled especially for veterans and servicemembers, visit our Military Consumer site.
This Veterans Day we’re honored to honor you – and the family members whose support was essential for your service.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.