Aug. 31, 2016

NBAA members know how to ensure the safety of their aircraft, but what about their email? NBAA members have recently been subject to sophisticated attacks delivered via email that compromise personal information in a tactic called “phishing.”

In phishing scams, someone poses as a legitimate person or business in order to obtain information such as login credentials, or banking information, or to otherwise compromise your computer. A phishing target may receive an email message that appears to have been sent by a known associate or well-known organization like NBAA. Links or attachments in the message may appear harmless, but when they are clicked on or opened, they may trick the recipient into providing personal or financial information, or infect their computer with a virus.

To make their messages appear more credible, attackers will often use brand elements like logos or email signatures within their messages. Attackers may even utilize a tactic called “spoofing,” which causes messages to appear to have been sent from a known email address.

Email phishing is on the rise. According to the global regulatory group Anti-Phishing Working Group, reports of phishing increased more than 130 percent in the first quarter of 2016. NBAA has been the victim of having email addresses within its own organization spoofed by attackers. Emails that appear to be sent from NBAA are requesting information such as payment of membership dues or invoices.

“Cyber attacks are becoming increasingly common and sophisticated,” said Todd Wormington, NBAA’s director of information technology. “It takes diligence and awareness to prevent private information from being compromised.”

Wormington said NBAA takes a multi-pronged approach to guard against phishing. The association uses traditional security solutions, such as email filters and antivirus software, but those are often not enough to prevent malicious emails from getting through to recipients. Next-generation endpoint protection technology, which can detect and stop an attack in real-time, is used to help meet the challenge.

“Attackers are getting smarter and changing their tactics and software at a rapid pace,” said Wormington. “That’s why in addition to technology-based solutions, we implement a human-based solution, too.”

This involves IT security awareness training for staff, which includes providing guidance on how to spot and report phishing messages.

Here are some steps to take to thwart phishing attacks:

  • Be wary of messages that ask for sensitive information, or ask you to provide information urgently.
  • Hover your cursor over links before you click to see where they’re directing you to. If the link will take you to an unfamiliar website, do not click on it.
  • Confirm an email is legitimate before opening any attachments.
  • Never enable macros in documents that are received via email.
  • Use two-factor authentication for sensitive accounts.
  • If you believe you have been compromised, alert your IT department immediately. You may need to change your passwords, or turn off your computer until you can get assistance.