By now, almost everyone has heard of “phishing,” the act of defrauding an online account holder by posing as a legitimate company or person. Simply put, it’s when bad guys pretend to be someone or something they’re not to steal from you or your company.
They’ll use “spoofed” email addresses, websites and attachments to convince you to give them personal information, financial details, account passwords and even wire transfers. These criminals use advanced tactics and social engineering to learn about you and your company so they can present tailored information you wouldn’t think to double check.
“Spear phishing” is even more egregious, appearing to originate from within your company or your domain and targeting a specific person or company.
Examples can include what appear to be:
- your IT guy asking you to login to a system or website,
- your boss asking you to “open the attached document,” or
- your CEO asking you to initiate a wire transfer to one of your vendors.
Because it’s so effective, phishing and spear phishing attacks continue to rise exponentially.
Part of the problem lies with us. Because we know what phishing is, we think we’re not susceptible — it only happens to other people, to dupes who aren’t paying attention.
But when we think it can’t happen to us, we let our guard down — and then we become most susceptible. Just ask the now-infamous Mattel executive who wired $3 million to a scammer.
“Email is such a common and trusted form of business communication that employees are extremely susceptible to spear phishing,” noted a recent report from Cloudmark, a Rackspace Email Partner and leader in the anti-spam industry. That report found fully 94 percent of companies surveyed acknowledged that their employees have fallen for a contrived phishing attack.
So — still think this can’t happen to you?
What can you do?
This is scary stuff, but you can fight back. If you (and your colleagues or employees) look for the signs of phishing and practice basic email hygiene, staying safe is actually pretty easy. The best way to combat phishing is just exercising common sense.
Here are a few tips to keep you on your toes.
Do not share personal information! EVER!
This really cannot be emphasized enough. Never respond to an email with personal information, financial information or passwords. Ever. Think about the risk-to-reward ratio. Is the upside of quickly sending this info worth the risk? Remember — NO reputable company will EVER ask for these details in an email.
Visit websites directly from browsers and bookmarks – not email.
Whenever possible, avoid clicking a link in an email to login to an account. It’s easy to misrepresent where that link may be taking you. A link might say “PayPal.com,” but it’s really pointing at “PeyPals.com.”
A quick way to double check a link’s actual destination is to hover your mouse over it. In most cases, your browser or email application will show you the true path.
If you’re logging in to your bank or other website, access the site directly instead of clicking a link in an email. Be especially suspicious of emails asking you to click a link to confirm your account information.
Double-check attachments before you click or download them.
Be careful with attachments. Word documents and Excel spreadsheets may contain macros or viruses that compromise your computer. These files can automatically download malware or direct you to malicious websites. If an email or attachment looks even the least bit suspicious (misspellings? See below), confirm its origin with the sender. Call, text or message them before you click.
Also, it is critical to have anti-virus software installed and up-to-date on your computer.
Whach for missspellngs and urginsee.
Although it’s not a hard and fast rule, poor grammar can often be a tell-tale sign of phishing. Look for unusual use of words, misspelling or even strange greetings (Hello Madam!). Also, be suspicious of an email that evokes a sense of urgency and asks you to do something right away.
When it comes to wire transfers, be extra vigilant.
The vast majority of people do not wire money as part of their day-to-day duties. So if you’re asked for a wire transfer, that should immediately raise a red flag. Double-check the request, OUTSIDE OF EMAIL, before you do anything. If you’re in the business of transferring money, never rely on email as a secure communication channel for these requests. Always confirm through alternative means.
When in doubt… DO NOTHING!
Being unsure and still clicking around suspicious emails can be disastrous. Take the time to be vigilant; confirming an email’s origin and intent can save you, and your company, a ton of grief (and maybe even money). If you have even an iota of doubt – DON’T CLICK ANYTHING. Delete the email, and pick up the phone.
Maybe more than ever before, the old adage holds true: when it comes to email and phishing it is truly better to be safe than sorry.
Wednesday, April 4, 2018