If you were fishing in a certain spot and kept reeling in record-breakers, wouldn’t you continue to cast a line there? That’s the dilemma organizations around the world are dealing with when it comes to phishing attacks. This crime is working so well that they that cybercriminals continue to phish in these all-too-profitable waters.
81% of global organizations have experienced an increase in email phishing attacks since March 2020, according to IRONSCALES’ State of Cybersecurity Survey. Dig into the survey further and you’ll discover that phishing is the top concern of 90% of IT professionals they spoke with. The dollars involved can be staggering, with people losing over $44 million to phishing, vishing (phishing via voice mail or phone calls), smishing (phishing via text), and pharming (sending users to fraudulent websites) schemes in 2021, according to the FBI’s Internet Crime Complaint Center.
Despite these staggering numbers, there are relatively simple ways that you can stop phishing emails from hooking yourself or your employees.
Protect Your Bait
The good news is that when you know what to look for, phishing emails are pretty easy to spot. Like everything else related to cybercrime, phishing scams are continually evolving. However, some basics hold.
The first line of defense is giving your employees an understanding of what cybercriminals are trying to accomplish. Hackers use phishing attacks in an attempt to access an individual’s online accounts by acquiring their login credentials. Letting them know what cybercriminals are looking for will help employees be more vigilant in guarding these essentials. For example, if they receive a suspicious email purporting to be from a colleague asking for a password, they are more likely to think twice before complying.
Training is your best defense. The 2022 Phishing by Industry study by KnowBe4 found that more than 1 in 3 employees will fall for a phishing attack if they haven’t been trained.
How to recognize phishing attacks
So what does training entail? The main thing is vigilance when reading emails. Simply teaching your team to be aware of the signs of phishing emails decreases the chances that they will fall victim to a scheme. Thankfully, the signs of phishing are generally fairly easy to spot unless you are dealing with a sophisticated hacker.
1. Make sure the domain is correct. If an email comes from a public domain versus a corporate email address, it is more likely to be a scam. For example, your boss is far less likely to send you a business email from his or her Gmail account than from their corporate email address. Gmail, Hotmail, or other types of free email accounts are often used by scammers because they are free and easy to set up.
2. Make sure the company matches the email. What about external emails? If the email is asking you to verify your Netflix password because there’s a problem with your account, but it’s coming from a Gmail address, it’s a safe bet that it’s not from Netflix. More than likely, it’s from a hacker attempting to gain access to your Netflix account. While that might be easy to spot in your personal life, it can be more challenging at work when your guard is down, and you are dealing with clients and vendors whose companies are not as well known.
3. Check again. If the company and email look okay at first glance, but the message in the email seems off, take a closer look at everything. Scammers frequently use a misspelled domain that is off by a character or two to catch potential victims off guard. This applies when you are talking about fraudulent websites as well.
4. Bad messaging. It might sound stereotypical, but the copy in phishing emails is usually poorly written. If there are misspellings, poor grammar, and/or a lack of punctuation, a bot could have created the email. Likewise, if the greeting is generic and addresses you only as a customer or a member, it’s less likely to be legitimate.
5. Don’t click that link! A phishing email aims to gain access to your account or systems. In either case, a phishing email will invite its target to click on a link that will go to either a fraudulent website or download malware.
6. Think it through. Even if everything else seems legitimate, if the email or text you receive is asking you to do something that doesn’t seem right – like advance money to a team member, authorize payment for something you haven’t seen before, or send login details to someone – it should raise a red flag. If your employees have any doubts, empower them to question the sender.
7. Common scams. Some phishing scams are more common than others, enabling you to warn your employees about them. Fake invoices requesting payment claims that an email account will be shut down if its’ not switched to a new program, fake google docs or dropbox requests asking you to click on a link to view a file, and of course, emails asking for money, top the list of cybercriminals’ favorites.
Phishing attacks are not going away anytime soon – they are simply too successful to disappear. To protect your team, educate them about how to recognize phishing emails. The more they know, the less likely they are to fall, victim.
Need training and cyber security help? Reach out to us!