By now, most everyone has heard of “phishing,” the act of defrauding an online account holder by posing as a legitimate company or person. Simply put, it’s when bad guys pretend to be someone or something they’re not to steal from you or your company.
They’ll use “spoofed” email addresses, websites and attachments to convince you to give them personal information, financial details, account passwords and even bank transfers. These criminals use advanced tactics and social engineering to learn about you and your company so they can present tailored information you wouldn’t think to double check.
“Spear phishing” is even more shocking, appearing to originate from within your company or your domain and targeting a specific person or company.
Examples can include what appear to be:
- your IT guy asking you to login to a system or website,
- your boss asking you to “open the attached document,” or
- the business owner asking you to initiate a bank transfer to one of your suppliers.
Because it’s so effective, phishing and spear phishing attacks continue to rise.
Part of the problem lies with us. Because we know what phishing is, we think we’re not susceptible — it only happens to other people, to idiots who aren’t paying attention!
But when we think it can’t happen to us, we let our guard down — and then we become most susceptible. Check out the story of Westmeath County Council to see how easily it can happen
What can you do?
This is scary stuff, but you can fight back. If you (and your colleagues or employees) look for the signs of phishing and practice basic email hygiene, staying safe is actually pretty easy. The best way to combat phishing is just exercising common sense.
Here are a few tips to keep you on your toes.
Do not share personal information! EVER!
This really cannot be emphasised enough. Never respond to an email with personal information, financial information or passwords. Ever. Think about the risk-to-reward ratio. Is the upside of quickly sending this info worth the risk? Remember — NO reputable company will EVER ask for these details in an email.
Visit websites directly from browsers and bookmarks – not email.
Whenever possible, avoid clicking a link in an email to login to an account. It’s easy to misrepresent where that link may be taking you. A link might say “PayPal.com,” but it’s really pointing at “PeyPals.com.”
A quick way to double check a link’s actual destination is to hover your mouse over it. In most cases, your browser or email application will show you the true path.
If you’re logging in to your bank or other website, access the site directly instead of clicking a link in an email. Be especially suspicious of emails asking you to click a link to confirm your account information.
Double-check attachments before you click or download them.
Be careful with attachments. Word documents and Excel spreadsheets may contain macros or viruses that compromise your computer. These files can automatically download malware or direct you to malicious websites. If an email or attachment looks even the least bit suspicious (misspellings? See below), confirm its origin with the sender. Call, text or message them before you click.
Also, it is critical to have anti-virus software installed and up-to-date on your computer.
Whach for missspellngs and urginsee.
Although it’s not a hard and fast rule, poor grammar can often be a tell-tale sign of phishing. Look for unusual use of words, misspelling or even strange greetings (Hello Madam!). Also, be suspicious of an email that evokes a sense of urgency and asks you to do something right away.
When it comes to bank transfers, be extra vigilant.
Always verify bank details & requests for payment via a medium outside email – Thinking primarily of actually calling the person via phone. This should be standard business practice for all payments – we have seen unbelievably realistic copies of invoices with fraudulent bank details being received by some of our clients
When in doubt… DO NOTHING!
Being unsure and still clicking around suspicious emails can be disastrous. Take the time to be vigilant; confirming an email’s origin and intent can save you, and your company, a ton of grief (and maybe even money). If you have even an iota of doubt – DON’T CLICK ANYTHING. Delete the email, and pick up the phone.
Maybe more than ever before, the old adage holds true: when it comes to email and phishing it is truly better to be safe than sorry.