An email phishing scheme we’re seeing more of lately is where the criminals actually may register your company’s domain name, but with a “.co” extension instead of the “.com” you probably already have. Then they send emails from that domain using a known username from the company’s leadership, which, if someone isn’t watching closely, can appear legit.
This is one of those cases where diligence on the part of every computer user on your network is required. Some steps you can take include:
- Do security training with every new employee, and repeat it periodically to keep it “top of mind” for all staff.
- If an email sounds funny, or is a request that person doesn’t normally make, err on the side of skepticism and call the person to confirm he or she sent it.
- Don’t ever send sensitive information via regular email.
Lastly, you may want to encourage full disclosure and “whistleblowing.” If staff members do respond to one of these attempts, or click on an email attachment they later realize wasn’t legit, they may be hesitant to report it out of embarrassment or fear of reprisal (such as it showing up on their performance review).
It’s very important these incidents are reported to your IT security group, so whatever you can do to encourage people to be open about these incidents, the more protected your organization’s data will be.