Coming into contact with phishing scams has become a common occurrence for businesses. The combination of low upfront costs and a high success rate keeps phishing popular. Bad actors rely on phishing as a precursor to many dangerous attacks, such as ransomware, account takeover and business email compromise (BEC). In fact, 9 in 10 cyberattacks start with phishing. While the repercussions of a successful phishing attack can be devastating for organizations, knowledge and awareness can help stop an attack in its tracks with timely detection and elimination.
In a typical phishing attack, scammers use legitimate-looking communication, usually email, asking users to download a malicious file or prompting them to visit a phishing site that mimics legitimate sign-in pages, to trick victims into handing over sensitive data like credentials, financial information and account information.
Here are some tips to help you spot and stop a phishing scam when it comes your way.
Assume links and attachments in suspicious emails are malicious
Unless you’re absolutely sure about the sender, avoid clicking on embedded links or attachments at all times. Scammers often use vendors’ or third-party spoofed addresses to gain your trust. Once you click the link, it might take you to a spoofed website, prompting you to divulge your user credentials or account details. If you’re even slightly unsure about a link, visit the website directly through your browser instead of clicking on the embedded links.
Many scammers also use typosquatting website links in phishing emails to target people that are not paying attention. It is a tactic used by scammers who register a common misspelling of another organization’s domain to steal a user’s personal information. Check for “https” in the address. The “s” indicates encryption is enabled for the website, and most legitimate companies have moved to this secure domain structure to protect their users’ information.
Additionally, avoid downloading any attachments from an untrusted source since it may lead to the unwilling installation of malware, like viruses, spyware and ransomware. Malware gives threat actors unlimited access to your systems and data.
Tip: Always cross-check the sender’s address and never open a link or download an attachment from a suspicious email.
Don’t automatically assume senders are legitimate
These days, cybercriminals use advanced tools enabling them to spoof a famous brand’s email address with great accuracy. If an email asks for sensitive information, you should contact the sender in question via another communication channel instead of replying to the email before divulging any information.
Cybercriminals can also send you emails from one of your colleague’s compromised accounts. So, if you encounter a potential phishing email, contact the colleague directly before replying.
Tip: Communicate directly to avoid falling for phishers’ traps.
Look out for generic greetings or appearances
Most organizations personalize their emails to establish better relations with their clients, so an email with a generic salutation, like “Dear sir or madam,” could be a warning sign of a phishing email. Avoid clicking on links and attachments in these emails and perform proper due diligence before interacting with them.
Tip: If it’s a generic header, ignore the email.
Stay alert for poor spelling and bad grammar
Another red flag in an email is misspelled words or incorrect grammar. Many non-native English speakers use translation tools to draft phishing emails, leading to grammar or spelling irregularities. Unfortunately, the advent of Chat GPT and GTP 3 is making it easier for bad actors to write believable messages.
Tip: Most companies have an editorial team, so if there are obvious errors, it is most likely a phishing email.
Be wary of urgent language and immediate calls to action
Scammers don’t want to give you time to think and try to create a false sense of urgency, in turn forcing you to take immediate action. For instance, threat actors send spoofed emails to an employee claiming to be somebody from higher management. They ask employees to immediately send sensitive business information or perform an unsanctioned financial transaction. If you have received any emails asking you to take prompt action, you should contact the sender directly through any other communication channel.
Tip: Never promptly respond to an email that calls for immediate action. Think, pause and talk to the sender before taking action.
Be extra protective of your personal information
One of the primary goals of phishers is to steal your personal information, such as name, email address, job title, phone number, address and bank account information, through phishing campaigns. If they have your personal information, they can use deceiving social engineering tricks to launch targeted attacks on you. Also, never disclose information about your colleagues, remote network access, organizational practices or strategies to an unknown individual or entity.
Tip: Never provide your personal information unless it’s to a trusted person or website.
Make a habit of flagging spam emails
Flagging an email as spam helps your email provider filter spam emails efficiently and send them directly to the spam folder or block them entirely. The email client also blocks similar emails, protecting you from further phishing attempts.
Tip: Don’t just delete phishing emails, flag them.
Don’t forget that phishing goes beyond email
In the last few years, threat actors have developed many innovative ways, apart from emails, to launch phishing attacks. One of them is smishing, in which scammers send bogus text messages that appear to come from a legitimate source, such as a bank or a trusted site. These messages also have a sense of urgency and request the recipient to click on a link or reply with personal information.
Another phishing method is vishing, which involves defrauding people over a phone call. Hackers use VoIP to spoof caller IDs, making their calls seem legitimate.
Tip: Don’t provide personal information while on a call or through SMS if you’re unsure of their legitimacy.
When in doubt, contact your IT department at I.T. Solutions of South Florida
If you encounter a potential phishing email, give the details to the Helpdesk at I.T. Solutions of South Florida and flag it as spam. We can verify the email’s authenticity and instruct you on further action. If you have clicked on a link or downloaded an attachment, ensure the IT team knows it.
Tip: Timely reporting of a phishing email to your IT department at I.T. Solutions of South Florida can drastically reduce the duration and impact of a phishing attack.
Article courtesy Kaseya