You’d have to be living at the bottom of the ocean to not have heard about the rise of phishing attacks, especially in the wake of the recent pandemic. It seems there is no shortage of shady characters out there just waiting to capitalize on trauma.
But phishing is not new, nor is it likely to be going anywhere any time soon. So how do you protect yourself?
Today’s Focus: How NOT to Take a Phishing Trip
Phishing scams all have one thing in common – they target humans. They might be going after information stored on computers, but their intent is to play on human nature. Humans are emotional, reactive. And when humans react, they make mistakes. They give out information they shouldn’t. They believe things that aren’t true. They open themselves – and the companies for which they work – to attack.
What exactly is phishing?
The overall concept of phishing is this: bad guys play people to get sensitive/private information electronically by pretending to be trustworthy. And just like there are many types of bad guys, there are many types of phishing.
Most people think of phishing as an email scam, and “standard” phishing is just that. Bad people pose as entities you’d trust, such as a bank or credit card company, and leverage that trust to get you to take action, such as clicking a link or opening an attachment, which then opens your device or data up for the phishers. These emails are designed to evade spam filters and at first glance appear to be legitimate, often containing real-looking logos and URLs.
Spear Phishing is focused phishing. Usually directed at one person or organization, spear phishing is done after the bad guys have done their research on the target. Specific details are obtained ahead of time and then used to customize the email to make it appear that it came from a trusted source with the intent of getting you to do something you might not otherwise do. For example, a phisher takes the time to learn enough about your organization to know that Elizabeth heads your HR department and that she goes by her nickname. The phisher then spoofs her identity and sends out an email to all employees requesting they review an attached copy of their W-2 and verify the information is correct by clicking on a link. The email looks to be internal and is signed “Liz”, so employees are much more likely to take the action requested, opening the company up for security breaches.
Whale Phishing is a type of spear phishing that targets high-profile individuals, such as executives or celebrities. These types of attacks tend to be even more personalized, containing not just your name but other information such as names of family and friends. If you’re a big deal, be extra cautious and verify the identity of those requesting action from you.
SMS phishing, better known as smishing, is phishing via text. The text contains a link, often to banking information, confirmations of orders or updates to applications you have on your phone. Text messages are a form of quick communication, so the bad guys are playing on your trust that if it came to your phone number it’s legit and that you’ll take action quickly. Don’t do it!
Vishing is short for voice phishing. You receive a call from someone who says he is from your bank and wants to verify a recent purchase. Banks do this all the time, but is this guy actually a bank representative? Best bet – tell him you’ll call back, even if pressured to take care of it right away. Then call the bank using the number on the back of your card.
How to Avoid Being Hooked
Many phishing attempts are easy to spot. Phishers are not usually Spelling Bee champs. Most phishing emails are poorly worded with bad grammar and spelling mistakes, offer unrealistic financial payouts, or are formatted in a way that looks like Fluffy did it on a Tandy 1000.
But what can you do if the phisher has obtained a dictionary and graphics person? Simply put: Think before you act and verify authenticity. Specifically, here are a few areas to consider:
Email phishing is the most commonly known, so people tend to be more cautious with unexpected emails. However, other forms have risen in popularity, so heed your mom’s advice: Beware of strangers. Just because it’s a text or a live person on the line doesn’t mean it’s legitimate.
Verify the sender is someone you trust and that their communication was expected. That’s not to say immediately delete Great Aunt Edna’s “Happy Birthday”, but if she’s asking you to reply with your social security number so she can give you a bank bond, don’t bite.
Check if others were included. If so, does it seem like a logical group? If you see that everyone in the distribution list has a name that starts with “S”, consider being Suspicious.
Date and Time
Verify that the date is accurate and that the communication was sent at a time that seems reasonable. If an email looks like it’s from HR, unless Liz has insomnia, 3:24 a.m. is not a logical send time.
Hover over any hyperlinks before clicking on them. If the link is displayed in the email, does the hover-over text match? If it’s a button, does the hover-over text look like a real link? You can “hover” over links on a phone by holding down on the link, just be careful not to lift too quickly so it clicks the link.
Watch out for spelling in links. At first glance, bank-of-fluffy.com looks very similar to bank-of-flufy.com, but chances are the second one isn’t going to have your funds go to your precious bundle of fur.
Best practice when it comes to links – go directly to the source. Don’t click the bank link from an email – type the URL directly into your browser or find the link through a trusted search engine. If Instagram sends a text with an update link, don’t click. Instead, visit your phone’s app store to check for the latest version.
If you aren’t expecting an attachment, don’t open one without verifying that you should. Even if it looks like it’s from the boss, confirm that she sent it. Yes, if she did send it, she might be a bit annoyed by the interruption, but she’ll be much more annoyed if company data gets compromised because you opened a file without thinking. Also, don’t assume certain file types are safe. The old belief that PDFs couldn’t be corrupted is just that – an old belief.
Outside of the obvious spelling and grammar issues, is the content unusual or unexpected? Are you being asked for information that normally wouldn’t be emailed? Is there a threat or negative consequence if you don’t do something quickly? Take a minute to confirm that the content makes sense before taking any action.
Being prepared isn’t just for the Scouts. Knowing what to look for and taking an extra minute to verify authenticity can save you from the nightmare of being hacked.
Train Your Brain
There are a number of platforms available to companies to train their employees on security awareness and preventing phishing attacks. We’ll give a shout-out to KnowBe4, a security awareness platform we love and use internally and with our clients. Whatever your choice, run simulated phishing attacks and train your employees regularly.
Don’t Hide Mistakes
We are human. That’s why phishing works. Scare tactics suggesting your account has been locked due to fraudulent activity or an emailed receipt for something you know you didn’t buy – those things might get you to click. If you do, don’t hide it! Contact your IT department right away!
And Remember, Everything Isn’t Scary
Not all bulk emails are phishing attacks. Some are just spam. Emails from retailers trying to get you to purchase things or newsletters from organizations you belong to can be annoying but aren’t necessarily trying to infiltrate your defenses.
No Hook, No Line, No Sinking
Now that you know what to be on the lookout for, you can avoid going on phishing trips. So sit back and enjoy the sun – you know how to dodge the hooks.