Phishing is the most common type of cyber-attack that impacts organizations both large and small. These attacks may take many forms, but they all share a common goal – getting you to share sensitive information such as login credentials, credit card information, or bank account details. Unfortunately, some of the more common ways we might have looked for phishing attacks in the past no longer work. For example, nearly half of all phishing sites now use SSL – apparently even the hackers want to encrypt the data passed between you and them.
The First Line of Defense Against Phishing Attacks
Although most organizations maintain controls to help protect their networks and computers from cyber threats, employees really are the first line of defense against many common cyber threats. Often hackers rely on a simple slip by an employee to gain information they can use to compromise your organization.
There are a few types of phishing attacks to watch out for:
- Phishing: In this type of attack, hackers impersonate a real company to obtain your login credentials. You may receive an e-mail asking you to verify your account details with a link that takes you to an imposter login screen that delivers your information directly to the attackers.
- Spear Phishing: Spear phishing is a more sophisticated – and targeted – phishing attack that includes customized information to make the attacker seem like a legitimate source. They may use your name and phone number and contact you at your work e-mail address to trick you into thinking they have a connection to you, making you more likely to click on a link or attachment in their message.
- Whaling: Whaling is a popular ploy aimed at getting you to send money or sensitive information to an attacker via email by impersonating a real company executive. Using a fake domain that may appear similar to yours, they look like normal emails from a high-level official of the company, typically the CEO or CFO, and ask you for sensitive information—including usernames and passwords.
- Shared Document Phishing: You may receive an e-mail that appears to come from file-sharing sites like Dropbox, WeTransfer or Google Drive alerting you that a document has been shared with you. The link provided in these e-mails will take you to a fake login page that mimics the real login page and will steal your account credentials.
7 Tips to Avoid Getting Phished
To avoid these phishing schemes, observe the following best practices:
- Don’t click on links or attachments from senders you don’t recognize. Be especially wary of .zip files or other compressed or executable file types.
- Don’t send sensitive personal information (such as usernames and passwords) over email or text.
- Watch for email senders that use suspicious or misleading domain names.
- Inspect URLs carefully to make sure they’re legitimate and not imposter sites. Type in a URL rather than relying on a link in an email. A tricky hacker could display one URL but link to another.
- Don’t open any shared documents that you’re not expecting to receive.
- Contact your IT Team if you can’t tell whether an email is legitimate or not.
- Be cautious when opening attachments or clicking links in general, but especially so if you receive an email containing a warning banner indicating that it originated from an external source.
It’s really far too easy for hackers to spin up a fake website to try to lure you in – there are videos and tutorials available online to walk even a novice hacker through the setup. These tutorials create sites that look very convincing, and we’re all in a hurry. Take a moment to protect yourself and your organization by verifying the authenticity of emails and websites first. Pick up the phone, send an instant message, or send an email if you got a message you’re not sure about – you can always ask the sender whether it’s a legitimate message or attachment.
Don’t Look Phishy
Finally, make sure that you (and your company) don’t send emails that look like phishing. We’ve all gotten legitimate messages that look, frankly, a little phishy. Take the time to make sure that your security-conscious employees won’t get stressed by automated messages that come from legitimate parties like accounting, shipping services, human resources, benefits sites and collaboration tools. For some, if it looks weird, they’ll just delete it and forget about it – not ideal if you’re making a time sensitive request. Many people get tens to hundreds of emails a day. By reducing the number of emails you send that might cause concern, you’re more likely to catch the ones that need it.