As part of our ongoing series for National Cybersecurity Awareness Month, today we will address the topic of phishing. Phishing is one of the easiest ways in which criminals can gain access to your valuable and sensitive data and create havoc. Phishing can be done in several ways including:
- Email to collect sensitive data. In many cases, phishing attacks happen over email. Your run-of-the-mill phishing attempt will appear to ask you for personal information such as account passwords, bank details or Social Security numbers. These emails will be disguised to look incredibly legitimate, so that you, in turn, provide the requested information.
- Email to deliver malware. Another popular phishing technique is to include a link or attachment file. Again, these emails look scarily real, and often times, users will click the link or download the attachment. Once clicked, the link will install some form of malware, ransomware or other form of damaging attack to steal sensitive data.
- Can also be done via phone calls (vishing) or through messaging services (smishing). The outcomes are normally the same as that via email, but hackers are just using a different channel.
So many of us believe we'd be able to spot a phishing attack a mile away, but don't be so sure. According to Webroot, the average number of phishing websites created every month is about 1.4 MILLION! PER MONTH! The experts at Symantec deduced that one out of every 2,000 emails sent is a phishing attempt on an unsuspecting victim. Considering the world sends around 270 billion emails every day, that's means there are about 135 million phishing emails sent EVERY DAY!
Because of the sheer volume of emails we all receive on a daily basis, these cybercriminals make sure to make the subject lines of their emails eye-catching and enticing. Eye-catching isn't always good news like a big win in a contest either; it could be a fake email from your bank stating your account has been compromised and they need your credentials to fix it! Whatever it takes for you to give these bad guys the details they want, they're going to do it. Another popular way phishers look to get your attention is to send emails about hot topic news items - today, this could involve something COVID related, breaking news about the upcoming election or even a fake celebrity death story.
Once the phishing attempt is deployed, criminals sit back and wait for the information to start coming in, and with it, they access your business and personal information and create chaos. Below are four examples of phishing from the Federal Trade Commission's OnGuard Online Program provided by CISA.
- "We suspect an unauthorized transaction on your account. To ensure your account is not compromised, please click the link below, and confirm your identity."
- "During our regular verification of accounts, we couldn't verify your information. Please click here to verify your information."
- "Our records indicate that your account was overcharged. Click here within seven days to receive your refund."
While all of these seem innocuous on the surface, clicking on them would lead to a data compromise.
So how do you avoid falling victim to a phishing attack? Here are some tips to keep in mind:
- If you don't know who an email is from, even if it includes some identifiable personal information, don't click on any link or attachments in the email. If your bank is concerned about fraud, they will understand if you call them to verify the email is legit.
- Train your employees on what to look for with regards to phishing. By equipping staff with the latest knowledge on phishing attempts, you can rest assured that your data is safe and secure.
- Look for urgency. Lots of phishing emails prey on fear to get action, so they will use words such as urgent or put time limits on the email. If an email feels wrong, it probably is. Contact the sender (bank, boss, etc.) by another method to confirm the email's validity.
- Don't disclose personal information online. In the online world we live in, with social media, online shopping and other sources, phishers can often find personal information on you somewhere on the web. Try to limit the amount of personal information you supply online, especially on social media.
- Hover on the links. When viewing a suspicious email that's from your "bank", place your mouse over any hyperlinks. The hyperlink will often show you the URL where you'll be directed if you click that link. If the URL isn't that of your bank, it's likely phishing.
- Utilize multi-factor authentication (MFA) whenever possible. MFA is an method of identifying that the right person is accessing the right account. Whenever possible, use MFA, especially for sensitive information such as banking, credit cards, social media and the like. While you may have to go through one more step to log on to an account, that one step could be the saving step for your information.
- Stay updated on all software patches and updates. These updates are most often released to rectify a vulnerability on your software. Leaving it unpatched leaves the door open to being phished.
Phishing attacks are happening all day, every day, and it takes awareness and caution to avoid falling prey to them. Fraser offers a unique employee training program that provides your staff with real world, comprehensive lessons on how to spot phishing and avoid being a victim.