Protecting your company from phishing attacks
Phishing is one of the most common forms of cyberthreat on the internet today.
Like the other kind of fishing, phishing can be targeted at a specific kind of catch or it can be untargeted, like a wide net that catches whatever it catches. The most common strategy is to cast a wide net. Cybercriminals go after multiple email accounts using messages containing fraudulent or misleading language designed to trick the recipient.
Trick you into what? Divulging sensitive information, like passwords or financial account information. Or, more commonly, trying to get you to click a link or downloading an attachment. From that one click, they can then install a number of different types of malware, spyware, ransomware and viruses.
Phishing attackers often try to make these emails look like legitimate business communication from a trusted entity, such as a popular bank, PayPal or Amazon.
Spear phishing is very similar, but slightly more targeted. The attack is personalized, intended to affect just one specific individual or business. While phishing is usually conducted via email or social media, spear phishing might include phone calls and text messaging.
What can you do to defend yourself
Fortunately, there are several simple ways you, your employees, and your clients can defend yourself from phishing attacks.
Look at the email address
Cybercriminals try to sneak phishing emails into your inbox by disguising them as a trusted source. By looking at the full “Sender” address (as opposed to just the “From” field), you can usually determine when an email is fraudulent.
For example, if an email that appears to be from Amazon based on the “From” field has something like “[email protected]” in the “Sender” field, you can be pretty confident it’s not a legitimate communication. Unfortunately, they’re usually not that obvious. A common trick is to use the trusted source’s name with a slight misspelling—like in the example above. (Did you notice that “Amazon” was spelled incorrectly? That’s how they do it.)
Look for incongruent email addresses, suspicious misspellings, and foreign domain signifiers.
Be suspicious and investigate
Before you click on that email link, ask yourself if there’s anything suspicious about it.
Do they misspell the brand name? Are you about to click on a link from ePayy.com or Amezen.com? If the link is hidden by text or an image, hover your mouse over the link and check to see if the popup or info bar shows a valid website.
Always be suspicious of links that lead to sites that don’t appear to be hosted in your country.
Check your online accounts regularly
If you think a fraudulent email may have slipped by you, it’s not a bad idea to pay a visit to your online accounts to make sure there has been no suspicious activity. (You should do that periodically regardless.)
Some things to look out for are unexplainable bank transactions (these are usually small so they aren’t immediately noticed), unauthorized purchases or services, and changes to your personal information, including your passwords.
Use antivirus software
Running virus scans seems like a tedious, annoying chore, but it’s much better than repairing the damage malware can wreak on your computer. A little prevention goes a long way.
Make sure your antivirus software has been kept up to date with the latest information.
Keep your systems and software up to date
Every year we hear news about security holes being discovered in major programs and systems software. Word gets around concerning these security holes and cybercriminals won’t hesitate to take advantage of them.
Take the time to update your software whenever the option becomes available.
Verify site security
Not all attacks come to you. Some lay in waiting.
On occasion, a website’s security is breached and cyberattackers build a false front page in order to skim your personal information as you log in. Which is why many important websites such as banks and utilities offer a two-step verification process.
Take note of any unexpected problems during this two-step verification. Also check the URL toolbar to make sure the start of the line reads with “https:” and that there is a closed lock icon present. This will assure you that your connection is secure.
Be protective of your information
Always take a moment to consider any information you give out either on a website or through an email. No credible service is going to ask you to send sensitive information through email.
If in doubt, visit the website directly. If there is an issue, you will likely confirm it there. Or you can call the company in question if you’re still in doubt.
Be very wary of direct phone contacts regarding your accounts
Make sure you’re calling them, and not the other way around.
Microsoft or Apple will never contact you by phone to let you know about a problem with your account. Those calls are almost always spear phishing attempts. If your bank or service utility calls, thank them, then hang up and call them back at an official number unless you know for sure who you are talking to and why.
That goes for text messages, too. Many people manage their personal cell phone payments through text messaging with the service provider. Make sure these are official messages sent from the actual provider.
Knowledge is power
Following the above tips is only the beginning, but it’s a good start.
Stay current on the threats out there. If a warning comes down from your IT support, or if you see new trends in cyberattacks making the news, take the time to follow up on this information to see how it could affect you.
Just a little proactive work on your part will go a long way.