Did you know that 95% of network security breaches happen due to human error?
There’s no doubt that hackers are getting smarter and more sophisticated every day. If hackers can figure out how to steal personal data for 533 million Facebook users, rest assured they can infiltrate your IT network too.
Still, at the end of the day, the biggest threat to your company’s data is an unsuspecting employee. Many company owners go to great lengths to set up their IT department – whether in-house or using a local IT support company. Either way, they overlook an equally important part of the puzzle: educating workers.
What do you and your employees need to know about phishing attacks? What steps can you take to ensure phishing protection? And what role does cyber security play in protecting your sensitive data?
We’ll answer these important questions and more, so keep reading below.
What Are Phishing Attacks?
Just like a fisherman uses bait to hook unsuspecting fish, a “phishing” attack dangles innocent-looking requests in front of internet users to gain access to sensitive information.
Phishing attacks began as fraudulent emails with the goal of stealing personal data. These days, hackers have expanded their tactics to include social media channels as well as vishing and smishing (hacking via phone calls or SMS messages).
No matter the type of attack, the goal is always the same: to steal logins, passwords, banking details, credit card details, and other personal information.
Here are some common types of phishing attacks:
- Phishing emails with attached malware or a link to a malicious webpage
- Phishing websites with landing pages designed to look like the legitimate website (i.e., PayPal or Wells Fargo)
- Phishing messages via SMS or messaging apps that install Trojan horse files
- Phone phishing pretending to be a bank, a government agency, or another trusted institution
For the sake of this article, we’ll focus on email phishing, which continues to be the most popular type of phishing attack. Hackers continue to use email, not only because it works, but because it’s easier to remain anonymous and send bulk mailings.
How to Spot Phishing Emails
Just in case you think the threat of phishing attacks is overrated, consider this fact: 97% of people globally cannot identify phishing emails. The same study found that 80% of users misidentified at least of their phishing tests, which is all it takes to become a victim.
As the old saying goes, an ounce of prevention is worth a pound of cure. The best way to avoid falling victim to phishing attacks is by educating workers (and yourself) so you know what to look for.
Here are five tell-tale signs to watch out for.
1. Spelling & Grammatical Errors
Legitimate big businesses will never send an email that contains typos or grammatical mistakes. You can rest assured that Facebook, PayPal, American Express, and your local bank have the resources available to compose error-free emails.
Phishing emails come from all over the world and often from hackers who do not speak English as their primary language. As a result, you might see a pattern of strange expressions and misspellings.
Of course, a hastily written email from a legitimate person could contain a typo or two — we all make mistakes. But beware of a pattern of strange speech or words used incorrectly, especially if it claims to come from a well-known business. If it “just doesn’t sound right,” don’t ignore your gut feeling.
2. Public Email Domain
If Google sends you an email, it will come from an @google.com email address. If PayPal sends you an email, the sender’s address will end with @paypal.com.
One of the easiest ways to spot a phishing scam is to examine the sender’s email. No legitimate big business will ever send an email from gmail.com, yahoo.com, outlook.com, or other public domains.
One of the goals of digital literacy and phishing protection is teaching your employees to look at the email address — not just the sender’s name.
3. Misspelled Domain Name
Since we’re on the topic, here’s something else everyone should watch out for: a cleverly disguised domain name.
A common swap is a “0” for an “o” in the email address. This turns “outlook” into “0utlook” or “chipotle” into “chip0tle.” If you’re just glancing through the email, you could easily miss this subtle but significant detail!
One podcast highlighted how effective this trick is by highlighting an ethical hacker who bought the domain name gimletrnedia.com (the actual business was gimletmedia.com). He then sent out emails that supposedly came from the company’s producer. The scam was so successful he managed to dupe the hosts, the company president, and even the CEO!
This is just one example of why companies need to prioritize keeping their business safe from hackers.
4. Strange Links or Attachments
These types of phishing attacks come not only through email but also through social media posts or text messages. The unsuspecting user clicks what appears to be a normal link, only to open the door for malware or a virus to enter their device and disrupt their IT security in Los Angeles or any city nationwide.
This is especially sneaky because these nefarious attachments can slip right past your IT security net.
Because most sandboxing technology only scans attachments for malware — not links.
To avoid a potential disaster, train your employees to hover over a suspicious link or attachment without clicking on it. A small pop-up will appear that shows the destination address. If it’s not the expected website, it’s more than likely a phishing attempt.
Another option is to instruct employees to visit a website directly rather than click on any link or attachment within the email. For example, if their PayPal account has supposedly been suspended, they should open a new tab and go directly to paypal.com. Then they can log in and verify the facts without the risk of clicking on anything in an email.
5. Creates a Sense of Urgency or Panic
How do you feel when you read the following statements?
- “Your account has been breached!”
- “Your recent transaction couldn’t be processed…”
- “You need to respond to this request immediately…”
- “If you don’t log in within 24 hours…”
Scammers know how to create a sense of urgency. They know that without it, you’ll procrastinate (at best) or study the email more closely until you notice something is wrong with it.
As a result, phishing attempts will always prompt you to take action now — before it’s too late. This is especially common in Windows, Netflix, and PayPal scams, as problems with those accounts could cause major inconveniences.
How to Protect Against Spear Phishing
In a recent survey, 67% of Americans admitted that they know phishing scams can occur across multiple platforms. As we just discussed, though, this doesn’t mean they know how to identify these threats.
As part of your phishing protection education program, here are some important safety rules that every employee should know.
1. Don’t Do Anything Rash
If there’s a sense of urgency in the email, that should be an immediate red flag. For example, if the CEO really needed you to contact him immediately, he would have contacted you in a different way.
When urgent action truly is needed, someone will call you, text you, or reach out via another platform. Your employees should know to stay alert (or even get nervous) if they receive an email that prompts them to do something rash.
2. Don’t Click Links or Buttons
This is phishing protection 101, no matter whether you’re in a professional or a private setting. As mentioned earlier, it’s always best to visit the actual website to enter or verify your credentials.
Hackers often create fake landing pages that look almost identical to the real websites. If you click that email link to Twitter, you could land on a site that looks so similar to Twitter you don’t notice the difference — until it’s too late.
The only exception to this rule is if you receive a confirmation you were already expecting and you need to click something to active or verify an account.
3. Double-Check Special Requests
A common phishing scam is to send employees an email that appears to come from an internal source — perhaps the company’s president or CEO. The request might be to log in to verify credentials or to transfer money or cryptocurrency to another account.
In some cases, it might even appear to come from a colleague or direct superior.
Whatever the case, train your employees to think before they act. It only takes a few seconds to pick up the phone or send a message to verify the request. A simple, “Did you just send an email asking me to…?” is all it takes.
4. Don’t Ignore Web Browser Warnings
Your company’s IT department and certainly outsourced tech support companies should include many layers of protection to keep data safe.
One of the most basic protocols is a pop-up that warns of a suspicious website. Usually, this appears in the form of a warning about security problems or the domain’s certificate. While there’s a tiny chance that the site administrators forgot to renew a security certificate, 99% of the time you can bet you’re dealing with a phishing attempt.
Make sure your employees know not to ignore those warnings and not to proceed to the website.
5. Don’t Trust Phone Calls
Vishing, or voice phishing, has been on the rise since the start of the pandemic. A hacker that has already obtained some of your personal information then takes the scam a step further by following up with a phone call.
Similar to email phishing, the caller tries to create a sense of urgency. They might claim to be from your bank, your credit card company, or another trustworthy organization. First, they need you to verify your credentials; then they’ll request for you to make a payment or transfer funds.
The same principles apply here. Just like you wouldn’t click on a link in an email, you should never provide personal information to an unexpected caller. The best solution is to hang up and call the organization back directly — you’ll learn very fast whether there’s a legitimate concern or not.
Educating Workers With Phishing Tests
As you can see, there’s a lot that most people don’t know about phishing protection. Without specific training, you can’t expect your employees to know all of the important details we discussed above.
This is why many company owners prioritize digital literacy and sign up for phishing email training for their employees. These helpful programs send out simulated phishing emails at random times to your workers. Those who fall victim to phishing tests or don’t handle the email correctly can then receive specific training to improve their knowledge.
These tools and techniques include:
- Training videos
- Custom templates for phishing emails and fake webpages
- Group management for different levels of training
- Detailed reports that show which employees need more training (and what type)
Best of all, it’s easy to bundle this phishing protection training with other valuable IT services.
Does Your Company Need Phishing Protection?
We can’t overstate the risks of phishing attacks. One “innocent” click of a link could compromise your company’s most sensitive data and cause serious damage to your IT network — and your reputation.
Don’t let this happen to you. Review the suggestions listed above and consider whether you’ve done enough to educate your employees about the dangers of phishing. If the answer is no, it’s time to take action.
Be Structured offers more than just the leading managed service provider in Los Angeles. We also empower company owners and their employees with the knowledge they need for phishing protection.
Our BullPhish ID application provides valuable phishing training for everyone in your company. It doesn’t replace the need for firewalls and virus scanners, but it adds another valuable layer of protection to your cybersecurity efforts.
Click here to learn more about BullPhish ID and our other managed IT services.