Non-Technical Person’s View to Protect Against Phishing Emails

Before joining ECS + My IT a year ago, I worked in the art museum world for 17 years with a rather blasé attitude towards cybersecurity. Of course, the Museum had a Network Security Administrator in the IT Department, but no one outside of that department really understood that role. For most of us, when we thought of security, we thought about the protection of the art itself, not the cyber risk. After a year working with IT professionals who are hyper-aware of cyber threats, my eyes are wide open to “phishing” emails specifically.

First, I had no clue what “phishing” was. If you’re in that same boat thinking someone misspelled “fishing”, here is a rookie explanation: Phishing is tactic where cybercriminals try to fool people to obtain company or personal information and they generally use email as their vehicle of choice (but you can also get “phished” via text messages, voicemails, phone calls, etc.). These emails seem legitimate because they appear to come from your boss, a brand you recognize, and even from your mom, and they have a malicious link, an attachment that contains malware, or ask you to do something such as purchase gift cards or change the routing number on an ACH payment. Malware can cause identity theft, drain you financially, unintentionally share private data, and wreak havoc on your company’s network [and reputation].

Since I’m talking about my first year at a top-notch IT company, I’ll focus on what it means for a business to get hacked or in other words, what are the detriments caused by a successful phishing attempt — let me count the ways. All it takes is one person clicking on a link or opening an attachment to allow a cybercriminal into a company’s network. The hacker then encrypts your company’s data and all you get is a ransom note requiring payment via nearly untrackable cryptocurrency to release the company’s data. David Bennet, CEO of Axcient (a well-known cybersecurity company) says “Dealing with ransomware attacks is increasingly important given that worldwide there is a successful attack about every 12 seconds.” As an example, in 2019 the state of Louisiana spent $2.3M on ransoms that locked up data at multiple school districts. That blows my mind!

At My IT, we have a cybersecurity awareness service that educates clients on how to identify phishing emails and how to prevent attacks like these from happening. It also monitors users by sending faux phishing emails to test them. When the user becomes a “multi-clicker” (a person who clicks on phishing links more than once over a short period of time), they are instructed to take a more in-depth (ergo longer) refresher course on cybersecurity.

So how does someone who is NOT an IT professional or cybersecurity expert spot a phishing email, you might ask. Here are some semi-novice tips:

1. Before opening an email – even one from a name you know well, check the spelling of the name and the actual email address. For example, Kristi.Marchamd@myit.co.uk is not a valid email address – my surname is misspelled and whilst I have worked in the UK, that is not where My IT is located. Pay careful attention to these kinds of details.
2. If an email that you did not initiate is requesting personal information such as bank account details, date of birth, social security number, etc. call, text, or talk with the sender directly to verify the authenticity of the email. Like a lot of Gen Xers, I tend to be brand loyal, so when I got a random email from J. Crew a few months ago offering a FREE gift card, I was a little excited…until I read that all I had to do was fill out some very personal details about myself. Red flag! Thanks to my training here, I deleted the email. Goodbye perfect spring, free dress.
3. So, you’ve checked the email address and it seems legit, but it has a link. Before you click on the link, hover over it with your cursor. If it does not seem to match the company or subject, or if you’re not quite sure, do NOT click on it. Again, call the sender for authentication or delete the email completely.
4. With work emails, it is best practice to alert your IT department about these suspicious emails. Just today I received an email from a copier machine with an attachment, but no recognizable (to me) sender details. I forwarded it to my patient boss who knew what it was and gave instructions and approval to open the document. While it may not have been anything, it was a good idea to be cautious and keep your company apprised. Better safe than lots of money sorry!

To bring this full circle, how could phishing affect an art museum? There are databases of information of the entire museum collection – by date and value of every object. Additionally, there are databases of all members, donors, and corporate funders. This information under ransom is massively detrimental to an organization that is non-federally funded. Also, many donors would hesitate to donate to an organization that did not do its best to protect their personal information.