Don’t Get Caught by a Phishing Attack
We’ve all done it – clicked too quickly on a website, email, instant message, or opened a file we should not have. Cyber criminals present themselves as a trustworthy entity – typically by misrepresenting a legitimate email, website or instant message. They then trick the user into entering account or W-2 type information (Personally Identifiable Information or PII) by looking, feeling and acting exactly like the sites they are misrepresenting. Or, they install malware on the device which collects this information without the user’s knowledge or permission.
Phishing is pervasive – and costly
The Wall Street Journal estimates that nearly 97% of all cyberattacks start with phishing. Of particular note is one type of phishing attack the U.S. Federal Bureau of Investigation (FBI) classifies as a Business E-mail Compromise (BEC) attack. The FBI defines BEC as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The victims of the BEC scam range from small businesses to large corporations across all 50 states that deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another.
FBI data shows over 40,000 BEC attacks occurred between October 2013 and December 2016 resulting in global losses exceeding $5.3 billion. The FBI warns that the BEC scam continues to grow, evolve, and target small, medium, and large businesses. For example, between January 2015 and December 2016, there was a 2,370% increase in losses just in the United States.
How to protect against a phishing attack
Follow these best practices to safeguard against phishing scams:
1. Look for spelling and grammar mistakes. Legitimate organizations typically have quality control processes that ensure these types of issues are corrected before users have access.
2. Beware of links and attachments in email – or found via online searches. Roll your mouse over the link (but don’t click on it) to see if the address matches the link that was typed in the message. For example, the link below looks legitimate, but when you roll over it, you can see that the actual address does not match and does not appear to be authentic.
Also, be very careful when opening any .exe files as they are executables and often contain malicious software
3. Watch out for communications that contain threats. Have you ever received a phone call from someone claiming to be the IRS or an email that says your account would be closed if you didn’t respond to the email message? Cybercriminals often use threats that your security has been compromised to entice you to take action immediately. Be suspicious of requests for secrecy or pressure to take action quickly.
4. Look closely at website addresses and type them in yourself. Cybercriminals create emails and websites that look and feel like legitimate sites, but the web address may be slightly off. Make sure you are clicking on the official site – or better yet, type the address in yourself rather than searching and clicking on website addresses.
5. Consider additional IT and financial security procedures, such as a two-step verification process and digital signatures for IT and financial transactions.
6. Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
7. Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
8. Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
9. Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
10. Back up your files to an external hard drive or cloud storage. Back up your files regularly to protect yourself against viruses or a ransomware attack.
Fight back against phishing
Cybercriminals make millions of dollars every year by tricking us into sharing our information. Follow the steps above and don’t get caught by phishing lures. Keep your security up to date and use security software and/or vendors you trust – and make sure you consistently and automatically apply updates.
Leverage phishing and security awareness training solutions to regularly educate and test your organization to immunize them against phishing attempts.
Call us today at 866-514-1440 and we’ll conduct a phishing campaign to determine your organization’s phish-prone baseline score at no cost! Or email us at email@example.com and we’ll get you on the path to being significantly more phish-proof right away.
1. Wall Street Journal, “Your Biggest Online Security Risk Is You,” Geoffrey A. Fowler, Feb. 27, 2017, https://www.wsj.com/articles/your-biggest-online-security-risk-is-you-1487786578.
2. FBI, “Business E-mail Compromise E-mail Account Compromise: The 5 Billion Dollar Scam Public Service Announcement,” Alert Number I-050417-PSA, May 4, 2017, https://www.ic3.gov/media/2017/170504.aspx#fn3
3. Microsoft, “How to recognize phishing email messages, links, or phone calls,” https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx.