How to protect your organization and prevent phishing attacks is always a hot topic. Phishing is not a new issue but is certainly one of the most dangerous methods of cyber crime that keeps on plaguing individuals and businesses.
Even though most people are aware of these attacks, they consistently fall into the trap.
As a matter of fact, 32% of all cyberattacks involved phishing according to Verizon’s 2019 Data Breach Investigations Report.
Since these attacks are getting increasingly more frequent and sophisticated, it is key that end-users learn how to recognize phishing attacks and understand how to react when they happen.
Let’s Start With The Basics. What Is Phishing?
Phishing attacks are techniques used by hackers to trick individuals into revealing sensitive information such as login credentials or unleashing a malware that infects your computer by creating fake emails that appear to be from an authentic source.
Phishing attacks can be classified into four categories:
Mass scale phishing: It is the most common type of phishing attack. Hackers usually send a huge batch of attacks that are not highly targeted.
Spear phishing: These attacks are more targeted and are tailored to a specific individual or business using personal details.
Clone phishing: Clone phishing is particularly difficult to identify as it involves taking a legitimate email to use it to create an almost identical email that is later sent from a fake email address that is very similar to the initial sender. In that case, the links or attachments are malicious.
Whaling: This is a specific type of spear phishing that targets someone important within a company such as a CEO, a CFO, or other executives.
To help you prevent phishing attacks and spread the words on security, we’ve put together 6 tricks to help you prevent phishing attacks within your organization:
Trick #1: Look at the email address, not the sender
In most cases, a phishing email will come from an email address that appears to be authentic. If you only look at the sender’s name, the latter will look very genuine at first glance but, if you take a moment to look into the email address, you may find it very similar to a company official email address but not the same – for instance: @mail.netflix.123work instead of @netflix.com.
A lot of people only look at the display name instead of the email address and double-checking the “From” could save you from making a mistake.
If you still have a doubt, you can look at the sender’s signature to help you identify a scam. If there is a lack of details such as job title or phone number, the email is probably suspicious.
Trick #2: Look for grammatical mistakes, not spelling errors
You can recognize a phishing email simply by the poor language or grammatical errors in the body of the message.
When writing phishing messages, fraudsters usually use spellchecker or online translation tools that provide the right words but not necessarily the right context.
Emails from corporate communication departments will never send messages to their customer database without a good grammar check and several rounds of proofreading. If the email you receive is poorly written, it’s likely a phishing attack.
You should also be careful with emails that greet you with “Dear Customer” or “Dear Member”. Most companies would use your first name so this could be a red flag.
Trick #3: Look carefully at the attachments or links
When you receive an unexpected email that encourages you to click on a link or open a document, you should be vigilant.
In the case of an attachment, cybercriminals will place malware that will infect your computer when you open it. This document can be an invoice or an org chart to review for example.
If you are not 100% confident the message is authentic, it is best to contact the sender through other means of communication such as chat or phone to verify that this person actually sent you an email.
If the email encourages you t click on a link, it is better to go to the website directly from your browser and login rather than clicking on the link/button.
Before clicking on the link or button, you should examine the destination address to make sure it matches the company domain. To do so, you can hover your mouse over the link/button and the destination address will appear.
Simply seeing the legitimate business name in the URL doesn’t make it authentic. A phishing scam includes the business name but would be placed before or after the malicious domain.
Trick #4: The message creates a sense of urgency
If the email begins with “Urgent request” or “Your account will be closed”, you should not let yourself intimidate and most importantly not panic.
Scammers are trying to take advantage of your anxiety to pressure you to act now and entice you to give confidential information. These emails are particularly efficient in the workplace as most employees might be afraid to make their co-workers or boss wait.
Should you receive this type of request in your mailbox, do not hesitate to call your boss or colleague to confirm the email. You can also use the tricks mentioned above to decide if the email looks genuine.
Trick #5: Rely on common sense
You cannot be asked to review something you never review. A legitimate business will never ask you to send your login credentials or credit card information by email and Microsoft will not send you an email to say they will close your account or have detected a virus on your computer.
These red flags should help you avoid falling victim to cybercriminals.
Trick #6: Upgrade your technology protections
For organizations making use of Office 365 for email, or using Exchange email servers in their datacenters, Microsoft offers extra protection against the various phishing attack. Office Advanced Threat Protection (ATP) checks all email links at the time you click them to make sure they don’t lead to known dark sites, and also checks all attachments in a special ‘bomb room’ to check for hidden attacks. Depending on your existing licensing there may be additional costs for these features. Softlanding has deployed these technologies (and other protective measures) for dozens of organizations.
As phishing attacks continue to evolve, they are getting increasingly smarter and therefore more difficult to identify. It is therefore important to stay alert at all times. If you happen to click on a malicious link or open an infected document, you should notify your IT department immediately. No need to be ashamed, to err is human.
Contact us if you want additional information on how to protect your business and prevent phishing attacks.
If you’re interested to explore the Microsoft tools for protecting against malware and phishing, you may be eligible for a Microsoft-funded security assessment if you are a ‘Microsoft managed customer’.