It’s not like phishing attacks are anything new. Scammers are always finding new ways to take advantage of things happening in the news, be it tax season, coronavirus, or anything else that lets them capitalize on people’s fears and frustrations. There can be a lot of misinformation flying around during these times, and taking a few extra seconds to confirm a source is trusted can save you from making a big mistake.
Phishing attacks and scams are messages from criminals posing as legitimate sources attempting to trick you into sharing private information (passwords, account numbers, Social Security numbers, etc.).
Whenever you receive an email, quickly go through the following checklist:
- Does this message include hyperlinks or attachments?
- Is this message telling me to take urgent action? (“Update your account now!”)
- Is the sender requesting any personal or sensitive information?
If the answer to any of these is yes, a warning light should go on in your head. Let’s look at why each of these questions is important to your cybersecurity.
Right off the bat, hyperlinks (“Click here to secure your account”) and attachments (“Invoice.html”) are one way that scammers can steal your information. In the case of hyperlinks, they might direct you to a phony but authentic-looking website, such as a log-in page, that records what you type and sends it to the scammer. Suddenly, your account is compromised.
A good practice is to never start a web session using the links provided in an email. Did you get an email from your credit card company saying you need to verify some information? Navigate on your own to the company’s website or app and go to “Account Settings.” If the request is genuine, then you can take care of it. The same goes for any other type of request.
Attachments should always be a red flag, as well. While most attacks are now malware-less, tricking you into downloading a file is a classic way to get malware onto your device.
So, if most attacks are without malware, then what do they look like? The last few years have seen a huge spike in instances of business email compromise (BEC) attacks. According to Mimecast, BEC scams increased 269% between 2018 and 2019. As you might expect from the name, BEC attackers use compromised official email accounts to trick other employees or customers.
How do you identify compromised email accounts? One tipoff is when the sender’s voice or writing style is different than how it usually is. Does the sender normally communicate in perfect, complete sentences, but you receive a new message has broken, typo-ridden sentences? That’s another red flag. Questions 2 and 3 are also red flags. Let’s look at them.
Scammers only need to trick you for a few seconds to do damage, and creating urgency is one way of doing that. By creating urgency, the sender takes authority or scares you so that you won’t doubt their identity. Imagine how you would feel getting a message saying, “Dear user: A mysterious purchase was made with your credit card. Click here to stop it.” You want to solve the problem right away, so you click the hyperlink and enter your log-in credentials.
As we have seen, attackers are looking to steal your personal information. When you receive a message that is looking for your data, ask yourself, “Was I expecting this?” and “Is there anything fishy about this request?” For instance, does it make sense for the IRS or the CDC to text you? No, it doesn’t, but what about email? In this case, a quick internet search will tell you that the IRS will never “initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.” This a pretty common trend. Google, for instance, promises that it will never email you asking for personally identifying information.
So, is it safe to click a hyperlink from your boss’s email address? Probably, but make sure that 1) it really is their email address, and if it is, 2) you were expecting the message (or it seems reasonable that it was sent by them), and 3) the message reads like your boss wrote it.
If there’s any doubt—especially if you’re being asked for a password, a Social Security number, or something similarly private—then confirm the identity of the sender with a phone call or other method before moving forward.
Human beings represent a critical vulnerability in the defense schemes of many businesses, and scammers know it. That’s why malware-less scams have exploded recently. Your employees can be tricked into doing more than clicking a link or downloading an attachment. They can think they’re talking to HR, IT support, their insurance provider, or even you.
Need help training your employees on how to identify phishing scams? Let us help. With two decades of experience under our belts, Machado Consulting will work with you to create the strongest possible plan to keep your organization safe. Reach us here or by phone at (508) 453-4700.