Did you know that October is National Cyber Security Awareness Month (NCSAM), both in the United States and Europe? NCSAM is a public awareness campaign that inspires businesses and individuals to take proactive measures to protect themselves from cyber threats. In celebration of the month, we will be posting a series of blogs that provide you with helpful tips and information to assist you in keeping your organization safeguarded from today’s cyber threats. Check back often for more installments!
Brian Kernighan once said, “If you don’t understand viruses, phishing, and similar cyber threats, you become more susceptible to them.” With cyber scams constantly increasing in sophistication, this statement is especially true today.
So, what exactly is phishing?
In a phishing attack, a hacker creates an email that appears to be legitimate and sends it to one or more individuals or employees. Their goal – trick users into clicking on a malicious link or attachment, or divulging login credentials through deceptive websites, allowing the thief to easily bypass defenses and giving them access the network or important business and financial assets.
Unfortunately, hackers are getting better at deceiving users. According to Verizon’s 2016 Data Breach Investigations Report, 30% of phishing emails were opened and of that 12% of users clicked on the malicious attachment or link, enabling the attack to succeed. Translation – we are still being scammed. Making matters worse, as attackers become more adept at deceiving users, separating legitimate content from the scams is getting harder. Not convinced phishing is a real threat yet? According to the SANS 2016 Threat Landscape survey, 68% of organizations saw a rise in phishing attacks just in the past 12 months.
Security solution vendors and IT departments are hard at work to prevent these types of attacks from ever reaching users, but some will inevitably get through. To best protect yourself and your organization, you must learn to recognize the signs of phishing.
The best strategy to survive a phishing scam is to stay away from the hook in the first place. But how do you do that? Below are a few simple tips that can help you avoid taking the phishing bait.
Look at the Sender
Because most phishermen are not people you know, it is important to take a close look at who sent you the email. Before opening any email, you should check to see that you know the individual sender. It should be someone with whom you communicate regularly. An email out of the blue from someone you haven’t heard from in 15 years on an unrecognizable topic is cause for caution.
Now, take a closer look at the sender’s email address. Do you notice anything strange? Perhaps a zero “0” was substituted for the letter “O”, or there is a punctuation mark in the middle of the email address that shouldn’t be there, or the letters may be out of order, or have an extra letter somewhere in the address. It may look similar to a real email address, but not quite right. These warnings all indicate that the sender may not be the person you think it is, and should cause you to exercise vigilance.
Examine the Addressee List
Next, take a look at how many people received the email. Do you know those individuals? If not, it may be best to avoid opening the email. Be aware that a phishing scam may target a large number of people in your organization. If you receive an email with an unusually large number of your coworkers as recipients, and those individuals do not interact regularly or have an apparent connection, it should raise red flag.
Suspect the Subject
Work communications should be related to your job function, so be sure to scrutinize at the subject line. Check to be sure that the subject is one that you would anticipate receiving in the first place. Does it make sense that you are the person getting the email in question? Is the email a reply to an email that you didn’t even send? If so, don’t open it. It is likely malware, or spam at the very least. Also, take a look to see if the subject matches the contents of the message. Misalignment is grounds for suspicion.
Scrutinize the Timing
What time of day was the email sent? Was it at a time that you would expect someone to be sending you a business email? While many of us work with counterparts all over the globe, it is still possible to detect emails that are sent outside of the norm, and avoid opening them.
Avoid Strange Attachments and Hyperlinks
We’ve all been told, what seems like a million times over, that we shouldn’t open strange attachments in emails or click links in emails from people we don’t know. And yet, we still do it. You can reduce the likelihood that you are opening or clicking malicious content by examining a few things. First – did you expect an attachment, and is it a common file type that you would expect to receive as part of your job? If not, don’t open it! Does the file have a weird name, or are there unusual symbols in the filename? If so, that is another sign to leave the file unopened and the link unclicked.
Beware of Unsettling Content
An email containing unsettling, startling, or urgent content that requires immediate action on your part is often signs of a phishing attack. We have all seen the phishing emails claiming that your bank account was hacked and you need to login right away. Don’t fall for it. If you think it may be true, rather than clicking a link in the email, call your bank, or log into your account from their website. Whatever you do, do not use links, web addresses, or phone numbers within the email. Those may be illegitimate. Be wary and extremely cautious of these types of emails, as they may be phishing scams.
While you can’t stop every phishing attack, you can certainly improve your odds by taking the time to examine an email before taking action. When in doubt, it is a best practice to NOT open the email, click the link, or download or open the attachment. If you see something strange, call your IT department. You are better off contacting them and having it turn out to be nothing, than risk infecting your computer or corporate network with malware. By following a few simple tips, you can better protect yourself and your business from getting hooked by a phishing scam.