Phishing is a methodology that uses social engineering tactics to make a person take an action that is not in their best interests. There are many types of phishing. There are also many warning signs. Before you take the bait be aware of these traps. It can save you and your company a lot of time and money. How bad can it be? The best case is you waste some time repairing the damage done by clicking on a phishing link. The worst case is your computer or network is infected with a virus that can only be “cured” by paying a ransom, or your personal information is used by someone other than you.
Phishing schemes play with your emotions in an effort to make you act without thinking. For example: your family member has been in an accident and needs money to ensure medical treatment, or there is a problem with an order you don’t recall making. Before you act, call to verify that there is an actual emergency. Go to the website of the vendor that has the supposed problem and confirm the purchase. Do not to the email. Only respond from sites you know are authentic.
Typically, phishing messages do not use your name because they probably don’t know it. These messages will appear to come from a business, charity or company that with whom you have a relationship. The communication will refer to you with greetings like “Dear Customer”, or “Dear Member”. Go to the website of the entity you do have a relationship with before you respond to requests of this nature.
Many phishing scams come from foreign entities for whom English is a second language. Improper grammar and spelling are warning signs. Look at the address closely. The name might be correct, but the domain is probably not. Look for foreign alphabet characters. Confirm area codes before replying to an unsolicited request for a telephone response.
There are other signs that a message may be a phishing scam. Never click on a link that is simply http. That link could contain malicious code. Only use a hypertext address that begins with https...
Cybercriminals can gather publicly available information from a company website or social media and use that information to target specific employees with an email that appears to be from a member of the management team. If the recipient believes this is an internal request, they may take the requested action to the detriment of the organization. For example, a vice-president, with whom you do not normally interact, requests that you transfer funds to pay an invoice. Beware of requests from a person in another department if it seems out of context with their job function or your corporate structure. Pick up the phone and ask if they made the request.
Phishing can also come through a phone call. The message creates a sense of urgency and can come during stressful times. For example, you might receive a call from the “IRS” during tax season, wanting to verify the social security number associated with an anticipated refund. Never provide personal or corporate information unless you initiated the call and have confirmed that you are speaking with the actual agency/company.
Always turn on your pop-up blocker. Pop-ups are a popular vehicle for spreading viruses or malicious code. The most frequently used ploy asks permission to show notifications. When you select “allow”, the pop-up can install malicious code.
Prevention is always the best way to avoid these scams. Train your staff to be aware of phishing techniques. Use email filters to prevent the malicious message from getting into your system. Install website alerts in your browsers. Limit access to certain websites and web-based applications. Require multi-factor authentication – a password, fingerprint identification or a keycard - before access is granted. Install security updates regularly. Regularly back up all data.
What should you do if you think you are the victim of a phishing scam? Report the attack. You may not fall for the trick, but others might. If you are the victim of phishing on your phone forward the suspicious message to 7726 (SPAM). Tell the Federal Trade Commission (FTC) by contacting their reporting website so they can add the suspected scammer's number to a list of known fraudsters.
Being aware of the signs of phishing and how to avoid being scammed, coupled with good back-up and security protocols can go a long way toward protecting you from being “the phish”.