Phishing 101: Identifying and Protecting Against Email Scams
As phishing scams grow less transparent by the day, being on high alert for malicious emails meticulously masked as trustworthy items in your inbox has become of immeasurable importance.
Network Coverage examines the evolution of phishing, how to identify it and what to do if you believe you may have fallen victim.
Phishing for Information
When it comes to email scams, your average user often operates under the assumption that anything bogus in their inbox will be easily identified.
There’s the wealthy prince offering a six-figure reward in exchange for a small donation. There’s the prospective “business partner” with abominable grammar looking for you to just hand over your routing and checking account info. Perhaps it’s a sender with an email address that looks like they literally pressed their hand on the keyboard and vigorously swiped across it, asking you, their “dear friend,” to provide them with your social security number so they can appoint you as their primary beneficiary in the event they kick the bucket.
It would take a lapse in judgment of epic proportions to fall for such shenanigans in 2019. Cybercriminals looking to prey on your gullibility, however, are much more clever than that these days.
The shift from that approach is a fairly simple one: No longer is the objective to pretend to be some wealthy benefactor you don’t know. Instead, the danger comes from the sender pretending to be someone you trust. It could be “HR” looking to verify a few things with you or a “support staff member” from your credit card company “making sure you’re protected.” It could be “Dropbox” or “Google Drive” sending you to a log-in screen that isn’t what it appears to be.
Dodging spyware, malware, and crippling viruses are enough to keep us on our toes, but coughing up your credentials as the victim of a phishing scam is essentially handing the keys to your castle over to the bad guys, putting yourself and your organization at great risk in the process.
Identifying Phishing Scams
So, what’s the secret to avoiding falling for a phishing scam? It’s pretty simple. To quote the tagline from American Beauty: …look closer.
● Hover over the link
The majority of phishing scams are going to include a link that isn’t what it’s presenting itself as. The best way to sniff out something suspicious is to hover over the hyperlink to reveal the URL. If it doesn’t look legitimate, don’t click it!
Want to play it extra safe? Right-click on the hyperlink and copy it. Head to Virus Total, select the URL tab, and paste it in. A quick inspection will reveal its malicious intent.
● Double-check the sender
Don’t want to get duped? Make sure the sender is who you think they are by examining their email address. Keep an eye out for typos in the domain and be mindful of the “name game” in which a sender identifies themselves as a trustworthy source (e.g. No Reply at Dropbox) but their email originates from an entirely different address.
To go one step further, give the email a thorough review for unusual language or typos. From logos to the font to verbiage, the sender will make every effort to make the email look as authentic as possible. Even the organizations being undermined have admitted as such, including Google during a widespread phishing scam earlier this year:
● Contact the sender if something doesn’t seem right
If your gut tells you something is off, that could very well be the case. Receiving an out-of-the-blue request to transfer money to a vendor or partner, or a request for sensitive information from a colleague? Did someone’s banking info suddenly change? There’s a chance their email may have been compromised. Walk down the hall to their office.
Pick up the phone. Simply find an alternate form of communication to put your worries at ease – or confirm your suspicions.
What to do if you fear you’ve been phished
Sometimes, unfortunately, we don’t sense something is amiss until it’s too late. When that happens, it’s time to take action immediately.
● Contact IT support
Plain and simple solution here: Nobody is more equipped to help you remedy this situation as
quickly as possible.
● Change passwords
Did you cough up your password on a phony sign-in page or potentially grant access to someone who shouldn’t be on your machine? If an IT team doesn’t have your back, change your passwords promptly and ensure they’re complex. That change won’t matter much if you follow a predictable password pattern.
● Disconnect from your network, scan your machine
If you have access to sensitive information on your company’s network, disconnecting from it is a wise choice. Anyone that’s wormed their way onto your machine will be cut off, preventing a major catastrophe in the process.
From there, you’ve got to ensure there’s nothing malicious lingering on your computer. This is especially applicable if you’ve – whether knowingly or unknowingly – download something onto your machine. Run the fullest of scans with your antivirus software and any other tools at your disposal. From Webroot to free tools like Malwarebytes and their Junkware Removal Tool and the Emsisoft Emergency Kit. The more thorough you are, the better.
● Contact your financial institutions
Many of us are guilty of having one password we utilize repeatedly. When that password winds up in the wrong hands, there are a lot of bases to cover – and quickly. Contact your financial institutions. Explain what’s happened so that they can prevent any fraudulent activity from taking place.
● Contact your, well, contacts
If someone’s taken hold of your email account, there’s a good chance they’re using you as a jumping-off point to rope in more potential victims, sending out another wave of phishing emails right from your email address. Once you’ve changed your password and secured your email again, don’t be afraid to send out a quick memo to all of your contacts, letting them know to delete any suspicious communication(s) from you during the time period you were exposed.
If you fall for a phishing scam and don’t react swiftly and effectively, the hackers, spammers and cybercriminals tossing out the bait and hoping you’ll bite could wreak havoc on you, your colleagues, your clients and your company in its entirety. The best practice, as we’ve preached here at Network Coverage, is to know everything you can about who’s knocking before you open the door.