Warning: very mild Mr. Robot spoilers ahead.
One of the most important lessons in Mr. Robot, the dystopian alt-present hacker show by Sam Esmail, is that the best hackers aren’t necessarily using algorithms to crack your password. In the IT world, it’s much easier to defend than it is to attack, and high-level encryption is almost impossible to hack unless you’ve got a quantum computer.
Humans, on the other hand, are a huge security vulnerability. In the show, the main characters consistently use social engineering as their hacking means of choice. Phishing scams are the flagship of social engineering. Why hack your accounts when you’ll just give me your password?
Here’s how phishing scams generally work – you’ll get an email from a source that you think is reputable. They might seem to be from a company or organization you trust, like Canada Post, the CRA, or PayPal. They might seem to be from an individual you trust, like a higher-up in your business (if you’re the highest up, these emails might seem to come from your peers, or they might be sent from employees who report to you).
These emails will generally contain a link requesting login information, though sometimes they’ll ask for a reply containing sensitive information. You and all of your employees should always check:
The email address the message was sent from
The URL of any links attached to the email
The contents of the email itself (for typos, inaccurate personal information, etc.)
Attachments (don’t open them)
Be very wary of opening any attachments contained within emails, even if they look legitimate – these attachments could contain ransomware or other malicious code.
There are a number of ways to defend yourself against phishing attacks. The most important of these is to keep yourself and your employees informed of the nature of phishing attacks. They’re designed to look legitimate, so it’s important to scrutinize emails, even if you’re sure they came from a trusted source.
You’ll also want to enable multi-factor authentication (MFA). Phishing attacks often target login information so that criminals can try to access your bank account and other sensitive information. MFA decreases the effectiveness of this phishing tactic by requiring more than just a password to access your account – biosignatures or devices you have on your person are required as well.
Most phishing attacks occur online – this isn’t, however, the only place they can occur. Phone phishing attacks are more uncommon, but they can and do happen. If you’re not sure whether or not a call is legitimate, don’t give them any information – instead, call the person or business they’re purporting to represent, after looking up their contact information yourself.
At Compass Accounting, we offer secure accounting services in Winnipeg. We encourage many of our clients to move to cloud accounting – should you opt to do so (it really is the future of accounting), we highly recommend using MFA. The service providers we recommend all offer MFA – it’s absolutely essential for any business that wants to decrease the risk of being hacked.