Catching the Easy Prey - The Email Phishing Threat
Phishing may be the most prevalent security threat on the internet. According to Symantec’s 2019 Internet Security Threat Report, 65% of groups attack corporate networks using spear phishing tactics, a phishing attack that specifically targets an owner or high level executive. Companies can lose millions of dollars at the hands of a successful attack and pay just as much to remediate the situation. Furthermore, the brand tarnishing and lost customers that follow a breach can be extremely expensive and can even put a company out of business.
Most phishing takes place over email, but social media messaging is also becoming a widely used channel. Even still, some scammers go “old school” and make phone calls to both cell phones and landlines in hopes to reach an unsuspecting victim.
It only takes one employee to fail and you could end up in the same position as Chipotle in the spring of 2017. The restaurant was hit with a breach that compromised millions of customer credit cards, and it started with a phishing attack.
Scammers engage in phishing attacks to hit the weakest link in your security system: You. Social engineering is much easier than trying to hack a firewall. Most phishing attacks exploit fear (act now or something bad will happen) or greed (act now and you will get something good). Others rely on impersonation, such as spoofing an email from HR and asking for employee information. Phishing emails may tell you that if you don’t click on the email now you will lose access to an account. This raises the emotional stakes and keeps you from thinking straight. Phishing emails are also becoming more personalized, thus making it harder to identify they are fake. And any fake websites that lie behind those emails tend to be well crafted and are sometimes almost indistinguishable from the real thing. However, there are markers to look out for.
Protecting against email phishing attacks
So, what should you do? The best way to prevent phishing attacks is education.
- Use anti-virus software and keep all systems up-to-date.
- Ensure sure your mobile device software is up-to-date including apps on the device.
- Be wary of links in email, even if it is an email you were expecting to receive. Check the URL first by mousing over it or search for the website and navigate to it manually. This also goes for social media channels, Slack, Instagram, etc. Attackers may use .org instead of .com or vice versa, or putting .com in the middle of the URL, which then obscures the actual domain.
- Use multiple channels to confirm. For example, if you are sent an email requesting confidential information or financial payment, call the contact via the phone number you have on file (not the one included in the email) and make sure they really sent it. Spear phishing often involves impersonating people you know such as family members, business colleagues or vendors.
- As part of business processes, you should include a secondary approver to sign-off on payment requests before processing. This eliminates the urgency that attackers prey upon and allows for a second set of eyes on the request.
- Never send highly sensitive information over the internet without encryption. This includes passwords, credit card numbers, and social security numbers.
- Never open attachments you were not expecting as they could contain malware. Contact the sender of the email before opening if you are uncertain.
- Look for misspellings in email addresses or in the contents of the email itself. Attackers are known for typosquatting, where they replace numbers with letters that look similar and vice versa. This can happen in URL links as well.
- Require that employees use strong passwords and change them often. Using a password manager is a great way to store and manage your passwords in one central location and reduces the need to remember the countless number of passwords we have.
- Use dual factor authentication on all cloud, email, social media and financial accounts.
The best way to protect yourself from being phished is to educate yourself and your family, keep abreast of known scams, and be cautious of links and attachments in emails. Should you fall victim to a phishing scam and believe your information has been compromised, go to IdentityTheft.gov and there you’ll find instructions for next steps based on the information you have lost.