We have always said that this digital era, with its ever growing data, is swarmed as well with a growing number of malicious individuals. Their goal is to steal data, no matter its value to them is of significance or not, and sell them for good price.
As emails have become one of the transaction media of most B2C and B2B companies, the threat in email security only grows each day. At these times, it is best to adhere to the universally known saying that knowledge is power and learn of the number one threat to email security – phishing attacks. Especially so since victims do not realize it’s happened until it’s too late.
Hackers use phishing to trick people into giving away protected information like social security numbers, passwords, bank credentials, and more. As such information is gained, phishing emails are considered to be the main channel from where identity theft is committed. The most dangerous part is that they look legitimate, making victims easily fall prey and not know what happened until the deed’s been done.
General phishing – this is a mass blast, thus sent to multiple people and acts like a legal standardized document, making the victim think of its legitimacy, attracting them to click and enter the appropriate information.
Spear phishing – as it’s aptly named is more targeted and is directed towards a specific person or a group of individuals such as HR, Finance Department, or Management team. The authenticity of the email that attracts the individual to trust is that it usually comes from someone they trust. Usually it’s from a high-profile individual like the CEO asking for bank credentials from the finance team, thus making it seem okay to provide the said information.
It may seem that since there’s no money involved, it won’t be as profitable as say a ransomware (where information is withheld until some amount is paid), but the information gained is what is of value. As mentioned above, the targets are social security numbers, passwords, bank credentials, etc and these can be sold to someone. This certainly causes more damage as this results in identity theft and opening up lines of credit under your name.
Identifying phishing attacks
While it may be challenging to recognize them, being as they usually come from trusted sources, they are still some signs that could give them away as long as you know what to look for.
Always be warned when an email is asking for personal information that you know you have not asked to get updated. It might say that your password has expired and to click on a link to update it. This link goes directly to a spoofed website.
Phishing scams have grammar errors and they could be subtle – a misspelled word here, a random capitalization there. And as we read a word as a whole and not letter by letter, it could be hard to point them out at first. And these emails often resemble something that would have come from a trusted source.
A lot of the phishing emails will have the appropriate banners included in them to make them look more convincing. But their colors are usually a shade or two off. And because that’s a subtle difference, victims think they are corresponding with their bank, or credit card company, or even the government.
This is the word that has a link leading to a ‘trusted’ website. As it is, it is very easy to change it to something completely different, taking you to a different website. Hover over it first before clicking to see where it would actually lead you to.
The forward slash
Be cautious of anything before the forward slash. Phishing scammers may add a period or a dash before the forward slash. This tricks recipients into thinking the link is legitimate. They may also use a subtle misspelling that’s hard to spot and when clicked, it goes to a different domain.
Best practices to avoid falling prey to phishing attacks
Your company’s IT department or IT provider would have put in security firewalls and defenses to keep these malicious emails from reaching your inbox. However, as cyber criminals are getting more aggressive each day, you may still receive one or two. Your knowledge of what to look for and the best practices mentioned below will be your greatest defense against falling prey to these attacks.
Be updated with phishing training
Educated users are hard to trick. Thus, making sure that all employees are taking phishing training semi-annually or annually would always be a good idea.
Be cautious about suspicious emails
As most of these scams come from trusted individuals, it is better to check with them first if they indeed sent the email (especially if you’re not expecting any) before clicking. Call them to confirm or if it’s from your bank or another organization, open up another browser and fire up their website. This makes sure that you are going to the correct domain instead of a spoofed one.
The devil is in the details
You already know the subtle deliberate misspelling, grammatical errors, and additional dots and dashes in the email are how scammers try and get your information. You could be in immediate trouble should you skip being cautious and not check all the details in the email. Tedious process I know, but it’s a small trade off compared to the highly potential risk of identity theft. Take the time to check the authenticity of the emails you receive.
Compartmentalize information within your organization
Not all of your employees would need access to all company information. If the information isn’t necessary for them to complete their job, then refrain from giving them access. There are lesser chances of confidential information getting leaked when you run your business on a less privileged basis.
As mentioned before, an educated user is harder to trick so knowledge about phishing scams and best practices to avoid falling victim is your best bet for protection. Keep all these in mind and practice making the habit of being wary of whatever you receive in your emails.
We can check to make sure the integrity of your network infrastructure and confirm its capabilities of blocking out phishing emails off your system. What's more, we can provide recommendations on how to strengthen your network and give best practices on simplifying your IT needs.