Don't Take the Bait: Tips for Identifying Phishing Attempts
Phishing is one of the oldest types of cyber attacks, and is still the most common. Why? Because it works. In 2017, 90% of data breaches were the result of phishing, and in 2016, 76% of organizations reported being the victims of phishing attempts.
A phishing attack involves using email to trick an employee into believing a message is legitimate, and from a trustworthy, or plausibly believable source. The phisher could be someone pretending to be from the employee’s company, or perhaps a company he/she does business with. Sometimes the message will describe something the employee either wants or needs, or thinks they are expecting— a request from their bank, for instance. Other examples include HR documents, a shipping confirmation, a request to change a password, or a link or attachment created specifically to deceive an employee. Whatever the masquerade, a sophisticated phishing attempt has the appearance of genuine communication.
Often the goal of a phishing attack is to maliciously obtain sensitive information, such as usernames, passwords, records, money, social security numbers, credit card details, or bank information.
Phishing attempts have matured dramatically since the term was first coined in the 1990s. They are becoming increasingly complex, and attackers are targeting everyone in an organization— not just CEOs and other higher-ups, but deep into the roots of the corporation.
Phishing attempts directed at specific individuals have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the internet today, accounting for 91% of attacks.
Phishing attempts directed at senior executives and other high-profile targets within businesses are called whaling.
Here are some red flags and ways to identify the most widespread kinds of phishing attempts. Don't take the bait!
- Unfamiliar email address
When a new email appears in your inbox and you don’t recognize the address, proceed with
caution. Remember that email is not the primary way that most serious correspondence happens—like tax or governmental information. If you receive an email from a source you know but it still seems suspicious, contact that source with a new email, rather than just hitting reply.
- Links & attachments
The most common mistake an employee makes is clicking on a link without thinking, and introducing a virus into the company's network. Always check the spelling of the URL address in email links before you click or enter sensitive information, and watch out for URL redirects, where you're subtly sent to a different website. If you’re at all unsure, don’t take the bait.
- Threatening language
Many phishing attempts imitate urgent messages that need an employee’s attention immediately, using fear or panic as a tactic to click a link or open an attachment. Beware of subject lines that claim your “account has been suspended” or an “unauthorized login attempt” has been detected or “urgent action is required.” These intimidation tactics take advantage of an employee’s anxieties and concerns.
- Spelling & grammatical issues
People who carry out these attacks may not always be writing in their native language, or they may be in a rush to send out as many phishing emails as possible. This can result in frequent mistakes, typos, and/or odd phrasing and symbols.
Legitimate advertising usually has gone through many drafts and does not have major spelling mistakes or poor grammar. Read your emails carefully and note any suspicious mistakes.
Building a culture of good habits is vital for your overall cybersecurity awareness in your company. Cybersecurity is an end-game strategy for your organization, one where consistent attention to detail is paramount. It’s a constant journey, not a destination— a goal that is constantly being met. Employee education and cybersecurity awareness are essential in any organization, and everyone must be involved. Contact NC4 any time at 877-624-4999 for more information or to see how our Cyber Solutions can help.
Thanks for contacting NC4! A member of our team will be in touch with you shortly.