The next topic in our best practices series will focus on email scams/phishing.
What is phishing?
Phishing is a form of social engineering where an attacker disguises them self as a legitimate organization, financial institution, or even the CEO of your workplace in an attempt to obtain sensitive information or infect your device by spreading malware. Phishing can be done through email, text, social media, or by phone call.
For example, let's say an individual receives an email that claims that there has been fraudulent activity linked to their credit card. The email suggests if immediate action isn't taken, their account will be suspended. A hyperlink is provided within the email which will bring the individual to a page that appears legitimate, and looks like the login page for the individual's credit card company. Once the individual enters their login credentials, the thief has captured the sensitive information.
How can I identify a phishing attack?
Hackers and phishing practices have become highly sophisticated over time, and the frequency of attacks have grown. As we mentioned in the example above, hackers will replicate the webpage or spoof a URL of a legitimate business. Even the email address in the "From" line may not appear to be of concern.
As we having been saying throughout this series, knowledge is power. Here are several signs you may have received a phishing email:
Organizations such as utilities companies, social media sites, and financial institutions will not reach out unsolicited asking for personal information such as passwords, Social Security numbers, or account numbers. If you receive an unsolicited email asking for personally identifying information, delete it immediately.
Attackers use social engineering to instill a sense of urgency within their victim. In the scenario we used above, we mentioned that if immediate action isn't taken, the user's account will be suspended. Usually a negative consequence (such as a suspended account) will be tied to the action requested. If you're still questioning the plausibility of the email, it's best to contact the company or individual sending the request directly. Avoid forwarding the email, as it could contain hidden malware.
Emails that contain a lot spelling mistakes or grammatical errors could be a sign of either spam or a phishing attack.
Unsolicited emails that contain attachments or hyperlinks--even from someone you know, such as your coworker. There is an email scam where a criminal has spoofed an email that appears to come from an organization's executive. It was being sent to professionals in HR and payroll departments, asking for a full list of employee W-2 forms! Again, it's best to contact and confirm with the individual it came from directly before taking action.
A little bit of healthy skepticism can go a long way. It's considered a best practice to using a little bit of skepticism even if an email doesn't appear "off."
Hyperlinks with mismatched URLs. For example, let's say that you receive an email that contains the hyperlink www.bedrocktech.com, but when you hover your mouse over the link, it shows a slightly different URL: www.bedr0cktech.com. It's highly likely it's a phishing attack. Do not click the link, and delete the email immediately.
If it sounds too good to be true, it probably is. You won a trip to Disney World, and all you have to do is click a link to claim your prize? Don't click; delete.
How can I protect myself from phishing and email scams?
Unfortunately, there is no way to completely block email scams or phishing, so your best defense is to look for all of the signs we mentioned above. You should also use the standard cybersecurity measures to keep yourself safe, such as creating stronger passwords and enabling two-factor authentication. As always, make sure your operating system software is up to date. Keep your devices clean by using antivirus software and web tools.