Remember a time when a fishing rod, some bait, and a lake was all that was needed for a quiet afternoon of relaxation and fun. Today, we need to deal with a different kind of “phishing”. This phishing has gone wild in the digital world and has become the preferred method by the bad guys in obtaining easy access to your corporate email platform. Access to a wealth of desirable information that includes transactional information, wire-transfer directions, and personal identifiable information (PII) of your Agents, Staff and Customers.
The question becomes, “How can I protect my brokerage from becoming a victim of phishing scams?”
Unfortunately, there isn’t a single easy answer. It is difficult and must include layers of defenses to surround your pond. There is a four-layer approach to setting “No Trespassing” signs around your pond.
This approach includes:
- Unique Passwords
- Multi Factor Authentication
- Preventive Layer of Defense
- Education
Passwords
The easiest place to build defense around your pond is to have a policy and technology in place to ensure people have a strong, unique password. The length, quality, and uniqueness of a password are elements to consider when protecting your pond.
The length of a password is simple, the longer the better. Twelve characters or more goes a long way in preventing the bad people from using computers to harvest a password.
Password quality is a password which must contain upper and lower-case letters, at least one number, and a special character.
Today, Bill Burr, the author of a 2003 official guidance to password security by the National Institute of Stands and Technology (NIST), insists that the use of complicated and forgettable passwords is a flawed policy.
In June 2017, NIST released an update version of SP800-63b and it explicitly states the complexity of the password must be easily memorized by the subscriber. In the summary of Appendix “A” of SP800-63b, it states:
“Length and complexity requirements beyond those recommended here, significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive.”
Bill Burr recommends a good password should be a combination of four words that do not relate to each other, example… bizzzzarePoodle747giant. This password is a combination of words and numbers which are only relevant to user and are easy to memorize.
Uniqueness of a password for a system is critical. Many people use the same password for each and every website. This is a definite “No, No”. If history repeats itself, a quick question to ask yourself is “How many breaches have relinquished their subscribers email and passwords? The answer is, “A LOT”. Remember Yahoo! and just recently, a Spambot leak of over 700m passwords from breaches collected by spammers which was released to the public. Once an email address is associated with a password, the scammers will use the harvested combination on corporate email systems like Google G-Suite and Microsoft Office 365.
Important! The lesson here is to remind all your Agents and Staff to have a unique password that is only used for your brokerage’s system. Do not use the combination on any other web site.
Multi-Factor Authentication
Single-factor authentication is when a subscriber enters their email address and a password. Multi-factor authentication requires not only the subscriber to enter their email address and a password, but also requires the subscriber to enter additional information before they can access their account.
Google G-Suite and Microsoft Office 365 both use a variation of multi-factor authentication by forcing a subscriber to perform a 2-step verification. Subscribers must enter their email address and password, then the system sends a text message with a pin code back to the subscriber. The subscriber in then required to enter the pin code to access their account.
Why is this effective? If the bad guys have harvested an email address and password, once they try to use it to gain access to the system, the subscriber will receive an unintended text message. An immediate warning sign that the subscriber must change their password and inform the IT department.
While planning and implementation of 2-step verification is complex and tedious, it provides another layer of defense against unauthorized access into your pond.
Preventative Layer of Defense to Phishing Attacks
According to IBM’s X-Force researchers, the number of phishing emails sent to your company’s platform has increased over 250% in 2016. This increase is because financial institutions, real estate, and title companies have become easy targets to harvest passwords to email accounts.
Since a majority of the phishing scams come from outside your email system, why not prevent them from being cast into your pond? There are several solutions which not only block phishing email attacks from entering your pond, they can also test who in your organization is susceptible to taking the hook.
These systems are effective in reducing the number of phishing emails, but they do not provide 100% protection from a phishing attack on your pond. Especially, if the phishing happens from a compromised account within your organization. We have worked with our broker clients to put these programs in place and they are very effective.
Education
Training, training, and more training!!! Information is the most effective method to prevent successful phishing excursions in your pond.
Components of a great educational program are to increase awareness and understanding of Phishing attacks, review online safety and prevention through identification of phishing attacks, and IDENTIFY what to do when the bait and hook was too tempting.
Each new phishing scam that enters into your environment, sends out an email from a special Scam/Span Notification email address. The notification must point out the quick identifiers within the scam email to make it easily recognizable by everyone. Yes, it is time consuming, but over time it has a greater return because awareness and recognition will prevent someone from taking the bait.
Test who in your organization is susceptible to taking the hook, line and sinker. What happens when someone does take the bait? Outline the exact steps someone needs to take when they have fallen prey to a phishing scam. Unfortunately, it is going to happen, so let them know it is more important to contact IT. Once IT knows, they are able to provide direction on the next steps and secure the environment to minimize further exposure.
Just remember, knowledge is power, and the more knowledge given to your team, the more powerful they become against phishing attacks.
Summary
An observation we have seen is consistency in monitoring phishing attempts and educating agents and staff in how to identify scams. Anyone can become an expert in detecting phishing scams.
Multi-factor authentication is a barrier to usage of email and systems. It has become the standard to access most financial institutions, major online retails, and online systems. Amazon, and many others, gives its customers the ability to enable 2-step verification.
Layers of defense surrounding “the pond” is the only method to protect your organization from serious breaches of corporate information. These and other layers of defense can be successfully implemented to prevent unauthorized access to your systems.
If you need assistance to develop a personalized email security strategy or to implement a strategy to protect your brokerage, contact us. We provide full service technology solutions and education to fit your brokerage.