This month’s security awareness tips concern an increasingly common, sophisticated, and dangerous threat: phishing.
Phishing is a form of cyberattack whereby the attacker sends fraudulent communications (email, text, phone calls, social media messages, etc.) in an attempt to trick the user into divulging critical personally identifiable information or other sensitive information or personal data such as SSNs, credit card information, bank account info, login credentials or additional information that the attacker can use to perpetrate a theft or otherwise harm the user.
Phishing is the most common type of social engineering: deceiving, pressuring, or manipulating people into sending information or assets to the wrong people. Social engineering attacks rely on human error and pressure tactics for success. The attacker typically masquerades as a person or organization whom the victim trusts — e.g., a coworker, a boss, or a company with which the victim’s employer does business — and creates a sense of urgency that drives the victim to act rashly. Hackers and fraudsters use these tactics because it’s easier and less expensive to trick people than to hack into a computer or network.
Significantly, the preponderance, severity, and complexity of phishing attempts have all been increasing in recent years: There was a 61 percent increase in the rate of phishing attacks in the six months ending October 2022 compared to the previous year. Attackers have access to more sophisticated tools, information about potential victims, and channels for possible attacks. Meanwhile, human error has remained constant.
Here are some helpful habits from Inspired eLearning. Put these into practice to proactively protect yourself, and by extension, your business and clients, from phishing scams:
Learn to identify the parts of a URL to protect yourself from fake URL phishing attacks.
Phishing attacks often use fake URLs to make you think that you are on a different site than the one you are on. URLs such as “http://subdomain.domain.com/folder/page.html” are comprised of specific parts: the protocol (“http://”), the domain (“subdomain.domain.com”), directories (“/folder/”) and finally, a page (“page.html”). The domain is part of the URL that you must pay attention to, and it is only the part after the “http://” and before the first forward-slash (“/”). “http://www.bank.com” is a domain on “bank.com,” but “http://wwwbank.com” and “http://www.bank.co/m” are both entirely different domains. Many organizations are moving to a secure domain structure. HTTPS indicates that the URL uses proper encryption to protect users and the organization. Always try to use HTTPS if possible.
Tell your coworkers about suspicious activity on their email accounts or contact lists.
Hackers may use a friend or coworker’s email address to send viruses, malware, or phishing attempts. If you receive a suspicious email from a colleague, delete the email. Then, alert your colleague who may not be aware of it. The malicious emails may be going out to other friends and colleagues. The simple fix to the problem may be simply resetting their email password.
Verify a sender’s identity before replying to any emails requesting personal information.
Phishing is fraudulently obtaining information about a computer user by posing as a trusted entity — like a bank. The most common form of phishing involves contacting users by email and asking them to verify an account by providing information to a false website that looks legitimate. Avoid phishing schemes by contacting the purported sender of the email message to confirm that this organization sent the message. Legitimate financial institutions will not ask you for confidential information or authorization credentials via email.
When in doubt, type in the address instead of clicking on a suspicious link.
Don’t blindly click on links you receive in email, especially from people you don’t know or whose identity you cannot ascertain. The stated name of the website might be for a company you already trust and use, but the actual link takes you to a fake or copycat website designed to steal your account’s login information.
Treat unsolicited emails as suspicious.
Scam artists may use the information you post on social media accounts to make their phishing emails seem more legitimate. For example, one common scam is using your grandmother’s name in an email and claiming that she has gotten into financial trouble and needs you to wire her money.
Don’t automatically trust emails from colleagues.
An email from a colleague may have come from a hacked account. Contact your colleague directly if you have concerns about an email they appear to have sent you, and do not transmit personal or sensitive information through email. Do not respond directly to the email before you know it came from a valid source.
Hover over links to see their actual destination.
Move your mouse over a link without clicking to see the site’s actual address. You should not click the link if the address differs from your expectations. You can also right-click and copy the link and then paste it into a text file to see where it leads.
If you receive a text from a number you don’t recognize, read it carefully.
SMiShing occurs when a cybercriminal sends a text or SMS message to another individual requesting their personal information. These text messages could range from a simple link to a website or ask for specific personal information. They could ask you to verify your information or state you’ve won a contest you never entered. Regardless of the message, no company or service would ever ask for personal information over a text. If you detect a phishing attempt or are suspicious that a message may be sent, delete or junk the email immediately and report the attempt.
Stay one step ahead of cyber threats. Arm yourself with knowledge and be the first line of defense against phishing attacks. Act by educating yourself, safeguarding your information, and keeping your organization secure. Please don’t wait until it’s too late. Share this blog with your team, and don’t hesitate to reach out and let us know if we can help you prioritize your cybersecurity and security awareness.
Cole McAndrew is AISN’s Information Security Officer.