“Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need—a request from their bank, for instance, or a note from someone in their company—and to click a link or download an attachment.” — CSO
Without the right email security and training, phishing is a weapon that will be used against your business.
Don’t believe us? That’s okay. Maybe these statistics from Dashlane will sway you:
- Phishing attacks have grown 65% in the last year
- 76% of businesses have reported being a victim of a phishing attack
- 30% of phishing attacks are opened by victims
Now that we have your attention, let’s take a few minutes to discuss how you and your team can avoid phishing attacks and boost email security.
Avoid email links with a suspicious URL
Cybercriminals might send you a phony email with a link to a malicious website.
This website could infect your system with malware. Or it could be a page created to dupe you into handing over sensitive information (for example, asking you to login to your account or to confirm your credit card information).
No matter what, always hover over the link to make sure it’s legitimate. Take a close look at the URL and confirm it takes you to the right place.
If you’re at all unsure, get to the “destination” manually. For example, if your bank asks you to log into your account, go directly to your bank’s site and log in from there. Don’t click on the link.
Don’t download attachments from unknown sources
What’s true for links is also true for email attachments. Don’t think you have to download something just because it’s attached to the email.
Remain suspicious and ask yourself why someone wants you to download the attachment. For example, if your insurance provider sends you an update via an attached PDF, ask yourself if that behavior is normal.
Typically, organizations have you log into your account to view any updates or changes to your relationship. So in this case, you’d want to call your provider or manually log into your account.
Related Content: Your company’s 5-part guide to mobile security
Read every email very carefully before handing over data
From time to time, phishing emails will contain grammar issues and spelling mistakes. If this happens, delete the email or contact the perceived source directly. Most organizations have multiple people review an email for accuracy — if there are errors, it’s a major red flag.
However, this happens less and less, and it’s become harder to spot a malicious email based off grammar alone. Cybercriminals may take months crafting the perfect phishing attack. They’ll research the company and create a believable email. Because of this, a perfect-looking email does not always guarantee safety.
Ignore urgency and take your time
Phishers love to push urgency in their attacks. The more urgent a request appears, the more likely it is that you’ll click, download, or respond without thinking.
Never take immediate action with an email if sensitive data is at risk. Always take your time, remain suspicious, and analyze the email from top to bottom. Act as if the urgency does not exist, and treat the message as a normal email.
Confirm unusual requests another way
Avoid links, downloads, and requests if they seem off for any reason — instead, confirm the request another way.
Like mentioned a few times, you can call or visit the represented source directly (sans link). If it’s a download from an unknown source, contact the company’s customer service to question the legitimacy of the email. It might take a few minutes, but it’s well worth it.
Related Content: 4 ways to secure your wireless connection
Understand that phishing attacks may understand who you are and how you work
Targeted phishing attacks are a whole ‘nother beast. These emails have a deep understanding of internal processes, employees, and job roles. In other words, even if the email is well-written, appears legitimate, and addresses internal procedures, you still might not be safe.
Consider the Mattel phishing attack from a few years ago.
In 2016, a finance executive received an email that seemed to come from the CEO of the company. It asked the executive to send a vendor payment of $3 million. After double-checking internal procedures, everything seemed in line — so the payment was sent.
Little did the executive know … the payment was sent to a group of hackers. The money would have been lost, but there was a banking holiday in China. The accounts were frozen, and Mattel was able to get their money back.
Long story short, don’t just double-check. Triple-check, quadruple-check.
These tips are just the beginning of phishing awareness. If you want to take your email security to the next level, there are a few other steps you can take. Here are a few to get you started:
- Simulated phishing attacks: Partner with a company who can create, send, and analyze fake phishing attacks for you. It’s a hands-on way to train your employees about malicious emails.
- Layered security solutions: A simple antivirus that you download from the internet will not cut it, and a fix-it-and-forget-it security solution is not the way to go. You need a dedicated security partner who can provide you with a managed security solution.