There are a myriad of technology related security threats that your business as well as your customers face today. One threat that constantly comes up is phishing scams. These scams can be fairly simple, yet very effective at duping the user and capturing their private information. Even the slightest clue to a username and/or password can give hackers all they need to break into private systems and steal information from companies and individuals—and for this reason, it’s crucial to be aware of phishing schemes, tactics and best practices for avoidance.
What is Phishing, and What Does It Look Like?
Phishing scams have been around for a while, but one of the reasons they still exist is that they’ve become more sophisticated over the years. Not all phishing scams involve a Nigerian prince needing to send you his inheritance. Phishing masterminds use advanced techniques to make them appear like legitimate businesses and/or brands you think are harmless.
Phishing is a type of social engineering attack that tricks victims into giving away information to cyber criminals posed as a trusted source. It’s an easy and effective way for criminals to hack sensitive systems and information, and the dangerous aspect is that it can come in many forms—the main one being email. Today, phishers, on average, launch a new attack every 30 seconds—and phishing schemes are growing increasingly sophisticated as cyber attackers use new tools and tactics to create authentic-looking emails.
Even the most tech-savvy individuals are fooled by phishing scams, causing them to give up personal information, passwords, credit card numbers and bank account numbers. People need to know what these scams look like and how to avoid them.
Due to the increased awareness around phishing scams, cybercriminals are constantly shifting their approach to become more sophisticated—sometimes making the timing and emails themselves seem uncannily official.
Bank impersonations are common types of phishing emails, especially around tax season.
Low-cost phishing and ransomware tools are very easy to get a hold of, and the attacks are just as easy to execute. So, what makes phishing such a successful method of cyber attack, and what can organizations do to protect themselves?
The most common type of phishing attack involves a criminal posing as a high-level executive who will then send an email message to an employee with access to a desired system or information. Cisco recently released a midyear report showing that CEO fraud netted cybercrime five times more money than ransomware over the last three years. This tactic is essentially the easiest way for criminals to get all the necessary information to commit tax and other fraud. And, according to anti-phishing company PhishMe, phishing emails pretending to be regular office communications are the most effective, with an average click-through rate of 22 percent.
Why Does Phishing Keep Happening?
When trying to determine the key factors that allow phishing attacks to infiltrate organizations, all paths lead to a lack of cybersecurity education among employees. Human error, paired with corporate cultures that fail to prioritize cybersecurity education, are often the culprits when businesses fall victim to phishing attacks. In fact, a global survey over 400 C-suite execs by the management consulting firm A.T. Kearney showed that cybersecurity (at 43 percent) is the top operational challenge they faced. This can be due to the fact that many employees have never received adequate security awareness training, if any at all.
So, why does phishing keep happening? It’s because people continue to fall for it! However, if organizations begin to prioritize security training and education, they can prevent their employees—and their sensitive business data—from being such easy targets.
How Companies Can Catch Phishing
The first line of defense against phishing attacks is to enhance education around email security. Failing to establish per-message authenticity company-wide puts organizations at risk of targeted email attacks.
It is imperative that all employees in an organization understand what a phishing email looks like and how to avoid becoming a victim. However, this is only possible when users are given the tools and training needed to detect potential phishing emails. In addition, companies need to develop policies and provide instructions on what users should do if they suspect phishing.
Tips to Protect Against Phishing
1. Be wary of suspicious emails and common phishing phrases
The simple fact is that legitimate businesses are not going to request sensitive information via email. Any email that asks for personal information should raise suspicion. Instruct customers to ignore any emails asking for anything related to account information, passwords or any other sensitive information, unless they are specifically expecting that email. If you do need to enter personal information via an email, make sure the link goes to a legitimate website that you recognize.
2. Always check website addresses
Most people don’t pay close attention to the site that they are clicking on when they click a link. But did they know that they can reveal the actual link that a “Click Here” button or text link an email is pointing to? When hovering over a link, the user can simply preview the site, and if it’s not going to the actual company site or a website that they recognize, then clicking on that link could invite numerous problems, including a potential phishing website or installing a piece of malware onto the users device.
3. Always know what links you are clicking on and where they lead
Along the same line as clicking on a website from an email, it is imperative to preview or check all links clicked on at all times. Everyone has experienced that feeling of “I shouldn’t have clicked on that one!” as their computer starts to show the effects of malware, spyware and more. Many browsers will give a preview of where the link leads before you click it—which is a feature that should always be used, especially if the website is questionable. If you don’t recognize the link you’ll be clicking to or are worried about the title, don’t click it.
4. Don’t input personal information unless you are absolutely sure of the website
NEVER give personal information if there is even a shred of doubt.