As a managed IT services provider (MSP), there are a myriad of security threats that you and your clients face today. One threat that constantly comes up is phishing scams. These scams can be fairly simple, yet very effective at duping the user and capturing their private information. Even the slightest clue to a username and/or password can give hackers all they need to break into private systems and steal information from companies and individuals—and for this reason, it’s crucial to be aware of phishing schemes, tactics and best practices for avoidance.
What is Phishing, and What Does It Look Like?
Phishing scams have been around for a while, but one of the reasons they still exist is that they’ve become more sophisticated over the years. Not all phishing scams involve a Nigerian prince needing to send you his inheritance. Phishing masterminds use advanced techniques to make them appear like legitimate businesses and/or brands you think are harmless.
Even the most tech-savvy individuals are fooled by phishing scams, causing them to give up personal information, passwords, credit card numbers and bank account numbers. People need to know what these scams look like and how to avoid them, and MSPs are usually the ones who must educate their clients on the subject.
From the Microsoft Safety and Security Center site this definition is offered:
“Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.
Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.”
Due to the increased awareness around phishing scams, cybercriminals are constantly shifting their approach to become more sophisticated—sometimes making the timing and emails themselves seem uncannily official.
Bank impersonations are common types of phishing emails, especially around tax season. Here's an example:
Tips to Protect Against Phishing
As an MSP, there are some simple tips that can be offered to your customers that may seem basic, but are essential to ensuring you have provided as much information to your clients as possible to help protect their business.
1. Be wary of suspicious emails and common phishing phrases
The simple fact is that legitimate businesses are not going to request sensitive information via email. Any email that asks for personal information should raise suspicion. Instruct customers to ignore any emails asking for anything related to account information, passwords or any other sensitive information, unless they are specifically expecting that email. If you do need to enter personal information via an email, make sure the link goes to a legitimate website that you recognize.
2. Always check website addresses
Most people don’t pay close attention to the site that they are clicking on when they click a link. But did they know that they can reveal the actual link that a “Click Here” button or text link an email is pointing to? When hovering over a link, the user can simply preview the site, and if it’s not going to the actual company site or a website that they recognize, then clicking on that link could invite numerous problems, including a potential phishing website or installing a piece of malware onto the users device.
3. Always know what links you are clicking on and where they lead
Along the same line as clicking on a website from an email, it is imperative to preview or check all links clicked on at all times. Everyone has experienced that feeling of “I shouldn’t have clicked on that one!” as their computer starts to show the effects of malware, spyware and more. Many browsers will give a preview of where the link leads before you click it—which is a feature that should always be used, especially if the website is questionable. If you don’t recognize the link you’ll be clicking to or are worried about the title, don’t click it.
4. Don’t input personal information unless you are absolutely sure of the website
Yes we are belaboring a point here. As a trusted MSP (which means a trusted business partner) you have an obligation to tell your customers everything you know, even if it seems obvious to you. Remember, you are the professional and the employee at your client’s company may not know what they’re doing. Reminding them to NEVER give personal information if there is even a shred of doubt is fundamental to you executing your call to protect your customer’s environments from trouble.
We realize that this kind of information may seem remedial to technology professionals like you, but you should never assume that your clients know these things. As their managed services provider, you need to be the one to educate them on information security, and one of the best ways to do that is to give them useful, practical tips that will reduce their risk of a security breach.
Bonus - Grab This: Accelerate your entry into managed security services with Continuum's eBook, Five Forces That Drive a Successful Managed Security Services Offering. You'll learn how to capitalize on the IT security opportunity, build a successful security offering and scale business amidst the evolving threat landscape. Get the eBook here.
Hunter Smith is CIO of Continuum, which offers managed security services to MSPs. Read more Continuum guest blogs here.
