qtq80 lapLI4 - What is phishing? How to recognize when you are the fish!

Phishing attacks happen every day but do you always recognize them?

Don’t get caught!  The number one cause of most cyber-attacks is employee error.  It happens when employees click on something that they don’t realize is malicious. In today’s blog, we look at a few basic tips to help you and your employees fight phishing attacks and protect your business.

Tips:

  • Don’t trust the display or “From” name on emails. Often cyber criminals will spoof legitimate businesses or brands to make the email seem legit.

Example:

To:  You <you@yourdomain.com>

From: ABCBank <accounts@secureit.com>

Subject: Unauthorized Login Attempt

While the email may look legit, don’t just trust the name, look at the actual domain in the email header, in this case secureit.com. The domain should be ABC Bank’s domain name.  Since ABC Bank doesn’t actually use the secureit.com domain, don’t open the email.  If you are not sure if the domain is legit or not then follow what we refer to as Rule #1, reach out to the company i.e. ABC Bank in this example and ask before you open.  You can also google the domain name which should help you determine if the domain is legitimate or not.

  • Pay attention to the signature. Most phishing emails will lack information about the signer of the email.  If there is no information about how to contact the company then odds are it's probably a phishing attack.
  • Check out links, but don’t click on them. Hover your mouse over any links embedded in the body of the email.  This allows you to see the link without clicking on it.  If the link address looks weird or doesn’t contain the sending company’s domain name, don’t click on it.
  • Check for spelling mistakes or poor grammar. Most companies are pretty good about their email spelling and grammar.  Read your emails carefully.  If you see poor grammar or spelling, then report the email to the company it appears to have come from.  It will help them to notify others that they have been spoofed.  Remember it takes a village to keep everyone safe.
  • Consider the salutation. If the email is address to a generic or vague “Important customer”, then beware.  Most legitimate businesses will typically use a personal salutation with your name.
  • Beware of urgent or threatening language in the subject line. Legitimate companies will not use threatening language in emails.  Invoking a sense of urgency or fear is a tactic that is common in phishing attacks.  Whether you suspect it is phishing or not, remember Rule #1 and call the company that the email appears to be from.  Let them know about the email.  If it turns out to be legit, they should be able to assist you over the phone.
  • Don’t provide any personal information. No legitimate business will ask for personal information via an email. If you unsure about the email or the request, call the company that sent the email and ask.  Remember that’s Rule #1.  Check before you act.  If it turns out to be legit, they should be able to assist you over the phone.
  • Be skeptical. Most cyber criminals that use phishing attacks are pretty good at what they do.  Just because an email looks right, doesn’t mean that it is, be skeptical.  If you suspect something than don’t open it.  If you really want to make sure, remember Rule #1 and call the company.  If they sent a legitimate email, they will be more than happy to help you over the phone.

In today’s cyber environment, we can never be careful enough.  Make sure your employees know and understand how phishing and spear phishing attacks work, and what to look for.  It’s your business so make sure it’s protected.

A good IT security plan should include periodic training and testing of your employees.  After all, employee mistakes are the #1 cyber risk to your business.  If your IT provider doesn’t help protect you from today's #1 risk, maybe it's time to look for a new IT provider.