It's been a hectic day. You're multitasking as best you can, but you aren't at your best, and you can't focus on any one thing. And that's exactly when it happens. You skim over an email that says your HR department sent out incorrect W-2s, and you need to verify your information immediately through the link they've provided so they can correct the problem. Just a few minutes after you quickly submit your name, address, your password and your social security number, you wonder if you've made a terrible mistake. Was that email actually from your HR department? Where exactly did that handy link take you to?
It can happen as easily as that, and it's terribly unfair. As security protocols advance and software programs come out with increasingly stringent measures to protect users, spammers and hackers are getting creative in an effort to gain access to information. The first place many hackers look to infiltrate is the one place many people overlook: email. And the best way to prevent them from stealing your data is awareness.
Hackers use a variety of tools to try and infiltrate email accounts because they offer a veritable treasure trove of information that can be used for malicious purposes. Your email provider works hard to filter out emails that pose a threat to your Internet security, but their measures are not perfect. You need to maintain a sharp eye. And the best way to maintain a sharp eye is to know exactly what you're looking for.
What Is A Phish?
A phish is an email sent by hackers with the goal of tricking the recipient into revealing sensitive information, or clicking a link that leads to a malicious website. Phishing emails or social media posts often are designed to look like they're coming from a trustworthy company, including the one you work for.
A typical phish might contain the following content as a disguise:
- Major news: Hackers use major news headlines as the subject for emails that are sent to your inbox. The goal is to get you to open the email and click on a link, which directs you to malicious content on a third-party site.
- Online shopping: Gmail, Hotmail and Yahoo Mail all utilize filters to block SPAM emails from arriving in your inbox, but hackers get around this with email subject lines starting with "Order Number." Because ordering online is so common, typical SPAM filters do not block these emails. If you open the email and view the attachment, you may have just downloaded malicious content on your device.
- Business documents: The West Virginia State Bar Association was recently targeted by a phishing scheme posing as an innocent individual requesting a simple document review. Unfortunately, anyone who clicked on that document link was taken to a website that asked for their email login information. Those who were careless enough to enter their information unwittingly gave spammers access to their email account, and every single email and contact within it.
- Social media: Social media is full of phony accounts posting breaking news or unbelievable offers with a link for readers to click on. Similar to the major news subject line that lands in your email inbox, the link will take you to a third-party site that could compromise your computer.
Why Does Phishing Work For Spammers?
The simple answer to this question is that people are curious by nature. When there is major breaking news, we want to know more about it. When we receive an email with an order number in the subject line, we wonder "what did I buy?" Spammers take advantage of our curiosity by disguising malicious content as credible information. We click on a link or download a receipt/voucher from an email, and before we know it our information is at risk.
Hackers use your email inbox to access not just your personal information, but also to build a bigger target base. When they access your inbox, they can see your full contact list. This increases the number of targets they can use their phishing scheme against.
How To Spot (And Avoid) A Phish
Since phishing emails often use clever tactics designed to overcome our suspicions, it's best to keep these tips in mind:
- Avoid the outlandish: Promotions that make use of terms such as "exclusive," "shocking" and "sensational" are almost always too good to be true. If something sounds outlandish, chances are it is dangerous.
- Hover before clicking: Before you click on any link, hover over it with your mouse. This will display the true destination the link takes you to. If the site is unfamiliar, do not click on it. If you are interested in learning more, be sure to use a new window to conduct a search for the story rather than clicking on the link.
- Don’t share: Social media encourages us to share information, resulting in a gold mine for hackers. When you fall for malicious content and then share it, unknowingly, with your friends, you are doing the hacker's work for them.
- Pay attention to grammar and tone: Your junior high English class (or your email's autocorrect software) has given you many helpful tools to recognize phishing emails, which frequently contain grammatical and spelling errors. Also, look out for greetings that are out of place. Do your coworkers begin emails with "Dear"? If not, that greeting should immediately arouse your suspicion.
- Watch for manipulation: phishing emails often attempt to play on human emotions, or attract our curiosity. If an email you're reading evokes an emotional response like fear, excitement or sympathy, take a step back. If that email insists that you take action quickly, take another step back. While the business world moves quickly, it's rare that any legitimate need would require your immediate response, and wouldn't allow you time to think through your actions.
- Be suspicious of attachments or links: It's become commonplace to collaborate on files with tools like OneDrive, Dropbox and SharePoint. But before you open anything, take a second and think it through. Were you expecting a document from this person or this company? Don't automatically trust a coworker's email; it could have been hacked. Also, take note of the file name. Files ending in .pif, .exe, .scr and more are associated with malware.
- Navigate directly to websites: common phishing emails often look like they're from a company you might do business with, like PayPal, eBay and others. Phishing techniques often include sending out emails suggesting that your account has been frozen, and you should immediately click a link to enter your login credentials. Again, be wary of all links, but especially these. If you are worried your account may have been suspended, go to the company's website from your browser, and not the email link. While it's easier to simply click the link, and that's exactly what a hacker is hoping you'll do.
The Importance Of Employee Training
Recently, hackers infiltrated the FBI's email system, and used it to send out fake cybersecurity warnings to over 100,000 email addresses. While the FBI's email account was real, the content was not. Clearly, hackers are continuing to become more strategic in their methods, and will find newer and better ways to evade any email provider's detection. The FBI is tasked with continuously monitoring threats, including those to cybersecurity, and provides a wealth of information on how to avoid being hacked. If despite all of these measures, the FBI can be hacked, so can your organization.
In addition to basic email security, it's important to keep track of evolving phishing techniques, and regularly train employees on how to spot a scam. It only takes one compromised email account for hackers to do serious damage, and unfortunately, as human beings, we all have a tendency to be distracted and act carelessly from time to time.
Many IT departments are beginning to launch their own phishing programs to see how many employees will take the bait, and click on the link provided. Depending on the failure rate, it's easier to adjust training accordingly and track progress. While no one likes to be tricked, these benevolent phishes provide invaluable data. Better still, this type of regular training leads to better outcomes, where employees recognize and report fraudulent emails quickly, instead of falling prey to them. And unlike a malicious phishing scheme, the result isn't catastrophic.
Maintaining email security is a challenge, but it's one your IT department doesn't have to handle on its own. Marco's cybersecurity experts are familiar with current phishing tactics, and can provide up-to-date cybersecurity information, training and solutions to safeguard your business.