Recently, email service providers have reported a shocking uptick in email-based scams looking to exploit current events for their financial gain—and that’s on top of the 24 million phishing attempts per day that Google reports. Phishers have adapted and gotten more sophisticated in their attempts to fool both users and internet service providers. Fortunately, to prevent these attacks from affecting yourself or your business, a little knowledge is your best defense.
How Phishing Works
Email Phishing generally works in one of two ways: by getting access to your login details (especially financial information such as your bank username and password) or by tricking you into downloading ransomware that will hold your data hostage in exchange for a hefty fee.
A classic phishing technique is the clone email. This is where phishers use a real company’s logo, branding and even a very similar email address and URL. They will often lead to a seemingly legit landing page with a login prompt.
Spear Phishing is a more sinister and more targeted technique. Spear phishers may impersonate a person from within your own organization to try to trick a user into giving up money. An example of this would be an urgent email that looks like it’s from your CEO or other senior leadership members, asking you to wire them money immediately.
How to Identify and Prevent Attacks
- Check email addresses and links carefully. Hover your mouse over any links to check their destination, and read carefully. Check the sender’s email address as well. A convincing clone might look something like e.compay.com rather than company.com. This goes for emails seeming to come from within your organization as well—phishers love to use a realistic email address with a letter or two off.
- Never download attachments from an unknown source. Ransomware is a growing problem globally and it usually comes in the form of a nefarious link or attachment. When in doubt, delete emails from unknown sources or forward it to your IT administrator for verification. As a general rule, never open an attachment from someone outside your organization unless you have explicitly asked for one.
- Examine the content closely. If an email has a generic greeting addressed to “Dear Customer” rather than your name, has overly formal or odd language, or generally feels off-brand, it may be a phishing attempt.
- Don’t give in to fear. An email claiming to report your browsing history to IT unless you click a link; An urgent email from your boss; a notice that your account has been compromised and you need to reset your password—all these are designed to scare us into clicking without thinking. If an email gets your heart racing, take a second and look again as it may be a fake.
- Use filtering software. Tools such as Office 365 Advanced Threat Protection can help by filtering out malicious emails and attachments before they ever reach your inbox. It can also help users stay aware by alerting users of emails sent outside your organization.
If you do accidentally click on a link there are a few things you can do to protect yourself. Should you inadvertently compromise your personal data, take a minute to change your passwords and call your bank to report any compromised information or suspicious activity. To preemptively protect against ransomware attacks, always have a data backup plan so that your information can be easily restored without forking over a hefty ransom.
While scammers are adapting and getting wiser, there is some good news. By educating yourself and members of your organization on their techniques you are less likely to be a victim. The fewer victims of such attacks, the less lucrative phishing will ultimately become.