Receive a Message Urging Immediate Action? Proceed With Caution
Cybersecurity experts report a recent rise in phishing emails—particularly those that capitalize on current events and recommend “immediate action.” Specific examples of this include urgent alerts that play on fears about global instability, stating that unknown users have logged into an account from an IP address in Moscow or Kyiv.
Many Twitter users report a social media-specific version of this, posting screenshots of fake user notifications they have received about attempted logins from Russia or Ukraine. Large universities have also revealed password reset alerts that purport to come from an IT department and ask a user to log in immediately to check the security of their password.
What these diverse phishing attempts all have in common is what happens after unsuspecting users click a link or reply to a message: they are asked to share private information to confirm account security. Sometimes, this occurs on an illicit site that surreptitiously steals credentials or personal data; sometimes, a user will see a fresh email open that includes a pre-filled message meant to lure them deeper into a scam.
No matter the avenue of attack, users across the globe are at risk right now, especially during a period of heightened cybersecurity awareness. Given current world events, anything that mentions unusual activity from Russia or Ukraine is sure to make anyone do a double-take, serving as particularly enticing bait for hackers who are always looking to change their tactics.
How can you protect yourself, your business, and your colleagues from these new phishing attempts?
1) Use caution with any email urging immediate action. Every unsolicited email should raise a red flag. But how can you recognize one when it looks like a real notification from a legitimate platform or application? First, look for any typos, inaccuracies, or awkward phrases in the subject line and body copy, along with unusual sender names or addresses. Remember that email domains can be easily spoofed; just because the sender name says twitter.com doesn’t mean that’s actually who sent the email. Hover over the email address or click for more details to look for straightforward senders like email@example.com, not long strings of nonsensical characters or unfamiliar dot.net domains.
2) Never open unfamiliar attachments or click suspicious links in an email. These are far more common than many people think—if someone sends a shipping update or monthly invoice that looks like it comes from a legitimate sender, human nature means we’re curious to see whether it’s real or not. Unless you’re expecting a specific file from a trusted colleague, be wary of any attachments—especially if the email urges you to open it now or tries to deploy personal information to trick you with so-called social engineering. In addition, don’t just click a link because you’re encouraged to do so; hover your mouse over the URL first to see whether the displayed website matches what’s in the email. If the words say https://www1.cmitsolutions.com/e/660363/2022-03-14/92fdly/1195673914?h=OL2CtzExWlPDGr3_7oeuBOe9fVBlQsShWFnBWnxxyHc, the preview link should also be https://www1.cmitsolutions.com/e/660363/2022-03-14/92fdm1/1195673914?h=OL2CtzExWlPDGr3_7oeuBOe9fVBlQsShWFnBWnxxyHc Beware of long strings of nonsensical characters or any major differences between the link in the email copy and the preview link that shows up when you hover over it.
3) Use multi-factor authentication or a two-step process to log in to any account. If you do visit a website you’re not sure about or respond to an email asking for information, all hope is not lost yet. It’s the next step that’s often most important: if you’re being asked to confirm a username or password, look for an option to send yourself a unique code via text message or receive a unique link via email to log in. Nearly all major providers and platforms urge their users to use this step, so it should be prominent on any login page. If you don’t see it, take another moment to question the legitimacy of the source and proceed with caution.
4) Invest in security awareness training for your staff. Many people laugh when they hear about cybersecurity education that includes phishing simulations. But seeing examples of the most common scam attempts can actually empower employees to better scrutinize suspicious emails and websites. This can provide a big shift from not caring about digital security to being inherently vigilant—in many cases or blocking phishing attempts before any information is stolen or any data is compromised.
5) Partner with a trusted IT provider to enhance cybersecurity. Even the best anti-spam filters and the most robust digital defenses will occasionally let a stray scam or two through. The key is to build multiple layers of proactive security around your entire IT ecosystem, your devices, and your accounts. Working with a reliable IT provider, you can enhance password security, add multi-factor authentication to all accounts, better protect mobile devices, and encrypt data. This comprehensive approach means that, if even one layer of protection falters, another will be waiting to prevent vulnerabilities and protect your business.
Given today’s hyperactive digital landscape, where breaking news and trending topics often dominate the conversation, hackers will continue to evolve to try and trick even the savviest computer user. These tactics always increase alongside instability, with bad actors trying anything to steal data and compromise private information.
In an unstable world, you need an IT partner you can rely on. If you’ve received a suspicious email or fallen victim to a phishing attempt, contact CMIT Solutions today. We work overtime to keep our clients safe, protecting every device, every system, and every user with enhanced cybersecurity defenses.