In 2018, nearly everyone has either heard of “phishing” or been targeted by it. If you haven’t, here’s a definition: phishing is the act of defrauding someone online by posing as a legitimate company or person. Even more simply put, phishing occurs when cybercriminals pretend to be someone or something they’re not to steal from you or your company.
The most common form of phishing occurs when hackers “spoof” email addresses, making yourcornpany.com look just like yourcompany.com. Sometimes, phishers will use links to illicit websites, real-looking attachments, invoices, or delivery notifications to either spread ransomware or convince you to cough up secure account details, financial information, or confirmation of a wire transfer.
“Spearphishing” is even more dangerous, since cyber crooks will spoof an email address that appears to originate from within your own company, employing advanced tactics and social engineering to determine details of your role and your company’s hierarchy so they can present specific information most employees wouldn’t bother to double check.
Consider these statistics from Symantec that show a marked growth in phishing attempts:
- Spam emails increased by 53% in 2016
- In 2016, one in every 131 emails contained malware
- Fake invoice messages were the #1 type of phishing lure
- More than 400 businesses are targeted by scams every day
- During the 2016 presidential election, spearphishing emails were sent to members of the Democratic National Committee, allowing hackers to infiltrate personal accounts
- One in every 3000 phishing emails are directed at small to medium-sized businesses (company size ranging from 1-250 employees)
- The word “request” was the most popular keyword in the subject line of phishing emails
- 79% of organizations reported being victim of a phishing attack in 2016
- The construction industry saw one of the highest spam rates at 59%
- 90% of companies admitted that one or more employees have fallen for a phishing attack
Other examples of phishing attempts:
- Your IT guy asking you to log in to a system or website
- Your manager asking you to “open the attached document”
- Your CEO asking you to initiate a wire transfer to one of your vendors
The phishing problem is only exacerbated by human nature. Often, if we can identify a phishing attempt, we might assume we’ll never fall for one. Such a scam only happens to people who don’t pay attention, right? You can fight back, however. If you and your employees and colleagues can identify the outward signs of phishing and implement best standards for email safety, avoiding a phishing attempt is possible. Here are a few critical tasks to remember:
1. Don’t share personal information via email.
Even if you know the sender, never respond to a message with personally identifiable information: financial details, passwords, birthdays, phone numbers, etc.
2. Type in websites you want to visit — don’t just click the link.
Whenever possible, avoid clicking a link in an email to visit a website. It’s easy to misrepresent where that link may be taking you. A link might say “PayPal.com,” but it’s really pointing at “PeyPals.com.” Or, if a link has long strings of random characters, it could take you anywhere. Double-check a link’s real destination by hovering over it with your mouse. And to stay the safest, manually type in the website you want to visit.
3. Never open attachments you aren’t expecting.
Whether it’s a ZIP file, a PDF, an MP3, a Word document, or an Excel spreadsheet, illicit attachments can wreak havoc on your machine (and any connected via the network). Hackers are notorious for packing viruses into these attachments, or installing ransomware on your computer when you click on them. Unless you’re expecting a specific attachment from a specific user, use caution before you click.
4. Watch out for misspellings and urgent requests.
Poor grammar is one of the telltale signs of a phishing attempt. Also look for unusual phrasings or misspellings, uncommon greetings (Hello Madam! or Good Day Sir,), and anything (particularly in the subject line) that evokes an unnecessary sense of urgency. If an email from a co-worker asks you to do something right away, call, text, or chat with that person in real life to confirm the request.
5. Don’t execute wire transfers!
Although executives at multi-national corporations have been caught red-handed sending money to scammers, most of us do not (and will not) wire money as part of our day-to-day duties. If an email asks you to approve or execute a wire transfer, consider that a phishing red flag. Again, double-check the request in person, not in email, before you make a move. And if you are in the business of transferring money, consider finding a more secure communication medium for such requests.
Clicking one wrong link in one suspicious email can be disastrous for your company. So next time you get a suspicious message, take the extra time to confirm its origin and intent — such diligence can save you and your company from danger (and possibly save a lot of money and heartache). If you have any doubts, don’t click a thing. Delete the email, or contact your trusted IT provider to investigate more closely.
As phishing attempts continue to increase, so should vigilance. If you have questions about phishing attempts, online scams, or other threats to your company’s safety, contact CMIT Solutions today. We worry about IT so you don’t have to.