How To Avoid Being Phished

Every day, cybercriminals are constantly trying to manipulate your and your staff’s behavior. They do this by using a stream of emails, texts, and social media messages pretending to be a well-known organization or a friend. Their end game is to trick you into clicking on links or attachments that have hidden malware.

The statistics of phishing scams are scary. Successful phishing expeditions cause up to 90% of data breaches. One in every twenty-five branded emails you receive is an attempt to steal your data. The truly alarming fact is attacks are only increasing in number and spreading to different types of media.

In order to not become a victim, you must be able to identify phishing scams. Below we discuss the most common phishing attacks and some great ways to identify a phishing email.

Deceptive Phishing
By far this is the most common type of phishing and uses the “spray and pray” technique. These emails tend to be generic in nature and have one goal, steal your data or login credentials. Cybercriminals will often impersonate a legitimate organization and use threats or create a sense of urgency to trick you into clicking on malicious links or attachments.

Spear Phishing
Spear Phishing is prevalent in both email and social media sites. These communications are more specific in nature and often targeted to a person, group, or company. These attacks will have information that is specific to the target and may have personal information to create a sense of trust with the sender.

Once again, the goal is to trick you into clicking on malicious links or attachments.

Whaling
Whaling is a targeted attack against senior management positions (CEO, CFO, COO) and the staff that support these positions. Using similar techniques as Spear Phishing, the primary goal of whaling is to trick executives into authorizing fraudulent wire transfers or disclosing W-2 information. Although these attacks are directed at all industries, healthcare, technology and banking sectors are favorite targets of the bad guys.

Vishing
Vishing is where attackers use phone calls instead of email or social media. In this type of ploy, attackers are “dialing for dollars” by calling random phone numbers. The call may come to the victim using a local area code so it looks to be a call from a local source. The bad guys often impersonate a legitimate organization or tech support.

The goal of these attacks is sometimes different as the attackers may ask you to get on your computer and run commands so they can “help” you with a problem (one you don’t really have). The attackers attempt to get the victim to access malicious sites that can install viruses and malware on the victim’s computer. From this software, the attackers can get everything from the victim’s computer, including user accounts and passwords to sensitive sites.

No legitimate company will ever call you to tell you your computer has a virus or ask for your passwords.

Smishing
Smishing (aka SMS/text phishing) has grown in popularity and is one of the easiest attacks for a bad guy to execute. The message will appear to come from a legitimate source (such as Apple, Microsoft, etc) and us the common tools of threats or create a sense of urgency.

The goal as always is the same, trick victims into clicking on malicious links or attachments.

Phishing attacks are tricky and sometimes sophisticated, however, there are many ways not to fall victim to these attacks.

Establish cybersecurity awareness training for all employees including senior management.

Deploy reliable anti-virus software, firewalls, and anti-spam solutions.

Review each email / SMS text for generic greetings, a sense of urgency, grammar and spelling mistakes, and requests for personal information.

Inspect links and attachments carefully – Hover your cursor over all links to validate the link destination.

Be suspicious of attachments in unexpected emails.

.If in doubt about an email or attachment call the sender directly using a number from your personal contact list or found in a search.

Set up multi-factor authentication (2FA) whenever possible, especially important for email and financial websites.

Limit sharing personal and corporate information on social media.

Install security updates on your computer regularly.

Phishing attacks try to get us to act without thinking. If something feels off about a message,  it probably is! The best defenses against Phishing are Security awareness training for all staff. Always THINK BEFORE YOU CLICK!