Phishing continues to be the weapon of choice for cyber attackers. Proofpoint’s 2021 State of the Phish Report identified phishing attacks as one of the top data security problems facing businesses, with 3 out of 4 organizations worldwide reporting attacks in 2020. When attacks were successful, 60% of organizations lost data and 47% were infected with ransomware.
These numbers alone shed light on why phishing remains a perennial favorite tactic in the cybercriminal toolbelt. And with 96% of phishing attacks delivered via email, it’s more critical than ever for workers to stay vigilant and think before they click.
Fortunately, there are some fairly simple ways to train yourself not to take the bait, no matter how sneakily it’s presented. Let’s begin by understanding our enemy.
What is phishing and how does it work?
Phishing definition: a fraudulent attempt to trick individuals into divulging sensitive information (usernames, passwords and banking details) by pretending to be a trusted source, often through an email communication.
Spear phishing – a more personalized way of targeting a victim – leverages three potential weaknesses in a recipient:
- The apparent source appears to be a known and trusted individual
- The message contains information supporting its validity
- The request seems to have a logical basis
Phishing emails typically try to lure the recipient into doing one of two things: a) handing over sensitive or valuable information; or b) downloading malware. There are several types of phishing, and each has the potential to wreak havoc in an organization.
How to avoid phishing scams: Four first steps
From an organizational perspective, the FTC provides a helpful overview and good advice for recognizing and avoiding phishing.
- Something a user has – like a passcode you get via text message or an authentication app.
- Something a user is—like a scan of a fingerprint, a retina, or their face.
Multi-factor authentication makes it harder for scammers to log in to accounts if they do get a username and password.
- Protect all computers in the organization by using security software. Set the software to update automatically so it can deal with any new security threats.
- Protect all mobile phones and tablets by instituting a mandatory update policy on devices that access your network. These updates could give you critical protection against security threats.
- Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to an account. This is called multi-factor authentication. The additional credentials required to log in to an account fall into two categories:
- Protect your data by backing it up. Back up data and make sure those backups aren’t connected to the usual network – for example copy computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
These are critically important and useful steps toward safeguarding yourself and your organization against cybercriminals.
How to avoid phishing scams: 18 additional steps
After employing the above, train staff to read all emails with a critical eye:
- Never trust any source that requests sensitive information via email.
- Is the email professionally written? Misspelling and grammatical errors are hints you’re being phished.
- Never trust a source that doesn’t know your name and account information. If the greeting is generic, it’s probably a scam.
- Watch for overly urgent subject lines and language like "Verify your account." Emails saying your account has been compromised frequently tip off a phishing attack.
- Does the email contain attachments? If it’s an unsolicited approach with an attachment, it may well be a scam.
- Is the email from a legitimate domain? If the @domain.com part of the email doesn’t exactly match the corporate web site URL, it’s likely a scam.
- Make sure the site is secure – does the URL begin with “https”? When you mouse over the link is there a closed lock icon near the address bar?
- Is your browser up to date? Companies release patches for newly detected malware all the time, so let their developers do the hard work for you.
- Install an anti-phishing toolbar or plugin on your browser.
- Does the email’s message contain a shortened URL? Hover over it (but don’t click). Check your status bar – does it show a legitimate address? If not, it’s a scam.
- Instead of clicking on a suspicious link, type the institution’s root URL (the https://abc.com part) of the into the browser to access the web site.
- Stay informed. When you Google “how to avoid phishing” the search returns well over 15 million results, so it isn’t difficult to stay abreast of the latest news and prevention best practices. Pay close attention when there’s a story about a new tactic.
- Retake your company’s security and anti-phishing training. If you score less than 100% study up and try again.
- Instead of double-clicking a suspicious file, upload it to an online document reader like Google Drive, which will convert it into HTML or a PDF. This will allow you to review the document while preventing it from installing malware on your device.
- Be wary of pop-ups, which are frequently employed in phishing attacks. Most commonly used browsers allow you to block pop-ups by default.
- Trust your gut. Does the email feel different or off? If it purports to be from someone you know, is its content inconsistent with the tone and vocabulary you’re used to from the source?
- When in doubt, do not click. Make “don’t click” your default setting. Only click a link once you’re sure it’s safe.
- Report potential phishing emails to IT or, if they’re allegedly from someone you know contact them to ask if they sent it.
Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But organizations can do a lot from a policy, procedures and training perspective to be more aware of phishing and how it works.
Bloug courtesy of Optiv, a Top 250 MSSP. Read more Optiv blogs here.