Information, Technology and Security Update

Introduction to phishing

This document has been created for the EmpowerPharm winter newsletter and does not represent a complete strategy to prevent or eliminate the phishing threats we face currently or may face in the future. The purpose of this newsletter article is simply to raise awareness and to offer basic anti-phishing techniques.

A more detailed approach to avoiding phishing problems will follow in the course of the cybersecurity project. We will also address the many known types of phishing identified to date (for example, spoofing, spear phishing, harpooning).

The article also informs the readers of an ongoing full-scale cybersecurity project being undertaken by the EmpowerPharm Information, Technology and Security department.

Phishing is an activity of cybercriminals and is designed to lure individuals or organizations to unintentionally furnish personal and company confidential information which would provide access to passwords, bank accounts, credit cards and other financial data or accounts. Email, telephone and text messaging are the most common channels of attack by cybercriminals. Cyber security organizations generally accept that phishing is undefeatable and appears to be a problem that will exist without a readily available end in sight.

Why phish:  Who benefits, who hurts

The complexity of phishing and other cybercrime activities indicates that significant sums of money are being spent to develop very advanced software and techniques. Phishing has been around since the introduction of computers in business or private applications, and it is generally accepted in the world of technology that there are no immediate solutions to end these criminal practices.

Phishing presents significant danger to companies. The perpetrators are now even going after cloud hosting entities. Storing our information on the cloud and utilizing hosted or SaaS (Software as a Service) strategies offer the safest low-risk and secure forms of information storage and computing today.

Criminal individuals and organizations have created a very lucrative existence for themselves and are able to stay out of the reach of the law while amassing vast sums of money for applying their skills in technology.

They also stay several steps ahead of the anti-malware, anti-phishing and anti-cybercrime legitimate entities which develop anti-cybercrime software and techniques. The fact that anti-cybercrime consultants and companies are thriving and constantly hiring is testimony that the problem continues to grow at an alarming rate.

Meanwhile, the cost of fighting these crimes is becoming a major burden to companies and individuals. The potential of not only losing money but to also exposing very sensitive and confidential information is increasing at an alarming rate.

There is really no alternative for companies than to hire costly, highly technical staff to fight these crimes. Additional costs include teaching about cybercrime and training in prevention techniques. The cost of hiring experts has increased significantly, especially since many universities have introduced Master-level degrees in cybersecurity.

The introduction of procedures and purchase of applications to “contain and control” have also become costly for organizations.

Cyber threats are real and are increasing in severity and number of instances .

What should you do if you recognize phishing

It is not always readily apparent that phishing attempts are being made against individuals or the company. You should be observant and careful with your personal email and systems, along with those of the company.

Signs that you should look for include but are not limited to:

  • Email with various incorrect spellings of your name.
  • Email requesting money or favours.
  • Email with multiple instances of incorrect spelling throughout the text.
  • Email requesting information about the company or about yourself.
  • Email with unusually flattering comments about you or the company.
  • Email with information which appears too good to be true.
  • The same applies to telephone calls (“vishing”) and SMS text messages (“swishing”).

Do not:

  • Use the same password for multiple accounts.
  • Share passwords with colleagues.
  • Write passwords where they can be detected. Try to memorize them.
  • Reply to email which appears unusual or seems out of character.
  • Open email attachments from people you do not recognize.
  • Click on or hover over unknown links.
  • Reply to notifications which advise that you have won the lottery or free vacations.

Do:

  • Create complex passwords. At least 8 characters long, combined alpha, numeric, symbols.
  • Change your passwords frequently.
  • Resist the urge to visit strange or unsavoury websites.
  • Try to avoid sending email back and forth between company and personal email accounts.
  • Try not to overshare personal information or other data on social media.
  • Exercise extreme care when opening email from a credit card company. This is typically easy prey for hackers and made to look authentic or professional.
  • Restrict the use of company systems to company business. Keep social media access to personal systems.
  • When in doubt, delete the suspect email.
  • Advise the IT department when you receive strange communication.
  • Limit your own fishing to the Credit River.

EPI’s strategy to address phishing

The company has recognized that the current anti-cybercrime project will be one of our most important and critical upcoming projects.

We are researching and will engage the services of a Cyber Security Consultant and/or firm to ensure that we undertake a focused and effective project.

This project officially began with a recent presentation of our strategy to the Board of Directors and will include a Disaster Recovery Plan. This plan will become a part of our overall BCP (Business Continuity Plan).

Norman Dash, Vice President of IT and Security