Phishing is a method of stealing account information such as login credentials and credit card details by pretending to be a trusted individual or firm in an email and other electronic communiques — remains popular among cybercriminals. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), phishing was responsible for 32% of confirmed breaches as well as 78% of cyber-espionage incidents in 2018.
Everyone is vulnerable to phishing attacks, therefore it’s important to know what to do in case you or your employees encounter an email that might be a scam. Follow these best practices:
#1. Do not respond to the email
There’s a reason “phishing” sounds exactly like “fishing.” That’s because the term refers to the act of “setting out hooks” to “fish” for passwords and financial data from the “sea” of internet users. These messages are usually sent out by bulk, with the senders eagerly waiting to see who will “bite the bait.”
If you don’t recognize the sender of the email, don’t open or respond to it. Delete it immediately. Opening spam messages can put an unprotected computer at risk, so it’s better to err on the side of caution. Don’t reply to the email unless you’ve verified that it came from a legitimate source.
#2. Be careful with links within emails
Phishing emails can take the form of messages that are allegedly from legitimate companies. Usually, senders will claim that there is a problem with your account, and they'll offer a link to a login page. However, this is just the cybercriminals’ way of tricking the unsuspecting user into handing out their information.
There will be common elements to a phishing emails. They will ask you for something of value like passwords, to transfer monies, account numbers etc and they will have a since of urgency to them.
Let’s say one of your employees received an email pretending to be from “PayPal.” The message asks them to click a link inside the message to verify their account and unlock it. While the email might display the link as “www.paypal.com/login,” which looks legitimate, its true destination might be a spoofed version, such as “www.pay-pal.com/login”. The rogue website might even look like PayPal’s website to avoid suspicion.
If a user inputs their login credentials on the fake website, the data will be handed over to cybercriminals. The hackers will then seize control of the account for data and identity theft.
Before you click on any link, check the target address by hovering your mouse over it. (although be careful some very sophisticated hackers can deploy malware through a hovering action as well) Then, do an online search to find the firm's legitimate website address. If the URL in the link matches, then it's safe to click. Otherwise, don’t click the link at all. Or better yet, don't use the email link at all. Just use the online search result on your browser to enter the site and log in from there.
#3. Approach attachments with caution
Hackers can include malware-infected attachments within emails. These are often documents that can harm your computer when opened. Let’s take a look at the two most common attachment types cybercriminals use:
- Executables and scripts disguised as documents: This technique isn’t new, as it has already been proven to be effective during the ILOVEYOU virus incident back in 2000. For this attachment, hackers may send an innocuous-looking file such as “Payroll.docx”. However, the file's full name is actually "Payroll.docx.exe". The cybercriminals took advantage of Windows’ default setting of hiding the extension, thus making it look like a legitimate document. However, once opened, this could unleash malware that wreaks havoc on the victim's PC and steals confidential information.
- Macro malware: According to IBM’s X-Force Incident Response and Intelligence Services (IRIS), 22% of reported campaigns in April 2019 delivered malware via booby-trapped macros. Cybercriminals can inject malicious macro code into a legitimate document and tell the recipient that to read the document properly, they need to enable macros. However, doing so will unleash the malware.
#4. Don’t trust the email’s sender information
Spoofing is an email activity in which the sender address and email header are altered to appear as though the message came from a legitimate source. This means that even if the message appears to come from a sender you know and trust, it’s important to take caution as this is exactly what cybercriminals are banking on to get you to hand over your details to them.
Use the same precautions when dealing with these messages as you would with any other email. Examine the sender address carefully. Do not interact with the email and discard and report it once you have verified it as malicious. When all else fails just call or directly email the sender and validate their authenticity.
Never wire transfer money without checking with the authorizing body first. This is the most common form of hacking theft.
#5. Update your computer software
Set a regular schedule for updating the software of all your office computers. Updating your software continually not only keeps your computers protected from the latest threats, but enables new features as well.
Don’t let phishing emails get the best of your company. F1 Solutions is here to help with all your data security needs. Give us a call today to learn more.