What should you do if your business falls for a phishing scam?

November 17th, 2020
What should you do if your business falls for a phishing scam?

Phishing scams are becoming more difficult to spot. Before, an unsolicited email littered with typos and grammatical errors was automatically flagged as phishing. But cybercriminals have upped their game and have made it more difficult for individuals and businesses alike to spot phishing scams.

This could be one of the reasons why many people still fall for phishing scams. According to the Verizon 2020 Data Breach Investigations Report, 25% of data breaches in 2020 involved phishing scams. That’s why businesses need to protect their sensitive data from theft and educate their staff on cybersecurity best practices.

In case your business falls victim to a phishing scam, here’s what you should do:

1. Disconnect and back up

Disconnect your computers immediately from the internet to prevent other devices connected to the company network from getting infected and to reduce the risk of data theft. If a computer is connected via an Ethernet cable, simply pull the plug. As for devices connected to the Wi-Fi network, turn off the router and disable internet access via mobile data.

Make sure all your files are backed up. If they are not, back up your sensitive or irreplaceable files on a removable storage device like a USB drive or an external hard disk immediately.

2. Scan for malware

If you don’t have an antivirus program installed on your devices, download one using an uninfected device, copy it to a removable drive, and install it on the potentially infected device.

Make sure to conduct a full system scan to ensure that PCs are thoroughly scanned for malware. Once the scan is complete, follow all necessary malware removal instructions and restart your PCs if necessary.

3. If you have cyber insurance, contact your insurance provider

If there is a chance that you will need to engage with your cyber insurance provider for the incident, contact them right away. In many cases, special procedures must be taken in order for your insurance provider to accept your claim.

Your cyber insurance provider may also offer incident response, communication services with clients, etc. that could be helpful in dealing with a breach.

4. Alert the authorities and affected customers

If cybercriminals have accessed your systems with sensitive data, immediately inform authorities and notify customers who may have had data about them be accessed or stolen.

When communicating about the breach with your customers, make sure you:

  • Come up with a communication strategy that will allow you to clearly convey the impact of the data breach to your customers
  • Send an email or letter explaining how the data breach occurred, the types of data stolen, what actions your company has taken, and what your customers need to do.
  • If useful, create an FAQ page on your website for customers.
  • Issue a press release explaining the breach, if warranted.

5. Update your passwords

Change all the passwords for the compromised accounts and all other potentially infected accounts that are accessed using the same compromised passwords

Take this opportunity to implement use of a password manager such as LastPass to allow your employees to have good password hygiene, with unique password for each and every site that they use.

6. Enable multi-factor authentication (MFA)

MFA uses more than one method to verify a user’s identity on top of a password, thereby increasing account safety. Other verification methods may include a one-time SMS code, smartphone prompt, fingerprint, facial scan, or physical key. A hacker who acquires a user’s login credentials won’t be able to log in without access to the other authentication factors.

7. Provide security training

Your employees are the weakest link to your cybersecurity, so train them to spot phishing scams.

Simulated phishing attacks are an ideal way to test your employees’ cybersecurity knowledge. This can be done by sending out fake phishing emails to everyone in the organization. Those who fall for the bait should be required to undergo further security training exercises.

Protect your business from phishing attacks by partnering with Fidelis. Our managed IT services will defend your IT infrastructure from threats 24/7/365. We will also educate your employees about cybersecurity best practices through our informative training sessions. To learn more about how we can secure your business, download our FREE eBook today.

Download our free eBook!

When it comes to cybersecurity, well-trained employees who can detect an online scam at first glance can be as strong as any antivirus software. Download our eBook today to turn your biggest vulnerability into your most dependable asset.

Download now!

For many businesses, complying with the GDPR’s specific data security and privacy requirements may sound daunting, but it doesn’t have to be. Our eBook Navigating the Data Privacy Labyrinth: A Guide to GDPR Compliance can simplify your compliance journey.GRAB YOUR FREE EBOOK HERE!