Steps professionals and businesses should know to avoid falling victim to phishing attacks


More often than not, phishing is likened to a simple hacking. However, it is more than that. These attacks can be avoided when people know and understand what data should be protected.

“Data is like gold we need to protect, especially for professionals and businesses,” Jaypee Soliman, UnionBank VP/MSME Segment Head, mentioned as he talked about phishing at the ACPACI PH 37th Annual National Convention, Technical Session 5: Prevent Cyber-Attacks: What Accounting Professionals Need to Know.

Phishing is defined as “a fraudulent practice of sending e-mails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” In reality, fraudsters are “pretending to be from huge companies, and that they need your personal information. Once you have given usernames or passwords, they have several ways to hack into your accounts.” 

For example, phishing can happen through compromised emails. Fraudsters can easily get your passwords that allow them to go through your sensitive information or files. Usually, the same password is used for mobile banking. Thus, when they pose as bank representatives and convince you to give your OTP, they now have access to your online banking accounts.

Phishing has evolved greatly in this age of social media. It is no longer limited to emails as it can be done through popular sites like Facebook, Instagram, or Twitter. These can be through bogus promos or ads that you come across as you scroll your timeline. To protect yourself, you must scrutinize the details of the post, such as spelling, grammar, and even the links posted, as suspicious-looking details almost always leads to unscrupulous activities online. 

Scammers also do phishing through SMS or “smishing” and Voice calls or “vishing”. In these, they try to attack your emotions -- either scare you or guilt you into giving up your sensitive financial details. They convince you to act urgently and disclose you card or banking details, pretending that someone is trying to make an unauthorized transaction using your card or bank account. 

Smishing often happens with a fraudster sending a message with a clickable URL. When clicked, these links direct you to a website prompting you to enter your details, including sensitive ones. Once done, cybercriminals can now use these to access your accounts and steal money or more data. 

Soliman walked through the steps that professionals and businesses should know to avoid falling victim to these phishing attacks. 

First, understand the entry points or gateways where fraudsters can get in, such as an email. Each and every access point is a potential entry point of threats.

Second, have an early detection system. Depending on the strategy of the company, it can be an internal communication system where threats are recognized. 

Third, have a response mechanism. This may vary depending on what industry the company belongs to. 

Have a solid communications system. This helps get information about potential threats inside the company that also extend to the customers.

Lastly, have a recovery plan. This is your strategy on how to treat intrusions, how to block or even eliminate these threats.

Soliman also recommends the following:

1. Don’t share sensitive info to other people;
2. Think before you click;
3. Enable multifactor authentication 
4. Don’t use the same passwords across platforms and emails especially for mobile banking;
5. Choose a reputable email provider;
6. Only shop in reputable sites;
7. Keep your devices and software updated

In addition, to monitor if data has leaked out of your accounts:

1. Check if your e-mail is compromised thru

a. See the sites or apps where your information is compromised
b. If there are any, best thing to do is change passwords
c. Or even delete or deactivate apps or software you do not use anymore

2. Check all your online accounts

a. Check your recent activity, or log-in activity
b. If there are irregularities, respond right away by calling the platform to block devices using your account