Is That Email Really From the CEO?

How many emails, text messages, and phone calls do you receive in a day? If you’re like most of us, it’s dozens, if not hundreds of them. Some of these might be from your boss, coworkers, friends, or family, but not all emails, texts, and calls are as friendly as they seem.

If you’re not careful, you might stumble upon a phishing scam in disguise.

Raise your hand if you’ve ever received an email from someone claiming to be a prince offering you a share of his fortune. Most of us know not to fall for that one, but what about emails, texts, and calls that appear to be from someone you know and trust, like your CEO or colleague?

Recent statistics point out that phishing scams are on the rise, and they’re becoming increasingly more difficult to detect:

  • According to Barracuda, 91% of all cyberattacks start in the inbox.
  • According to Verizon, human error remains a significant factor in cybersecurity breaches, accounting for 82% of attacks.

So, how do you protect yourself and your organization from sneaky and deceptive phishing messages? This blog will show you how to recognize phishing attacks, avoid getting them in your inbox, and what to do if you suspect you’ve received a phishing attack.

phishing

What Is a Phishing Attack?

Phishing is a cybercrime in which attackers attempt to trick users into revealing personal information, such as credit card numbers, bank information, or passwords, by pretending to be legitimate.

Email is one of the easiest targets for cybercriminals and the most common form of phishing, because it’s relatively easy to manipulate the content to look like it’s coming from a legitimate source—for example, changing the email “sender” to look like it’s coming from a company executive, then asking for a password or credit card information.

With phishing, the hacker’s goal is to get you to take some sort of action, whether it’s handing over information or installing malware for cybercriminals to hunt for information on their own. Once they gain access to the information they’re after, they can use it for their own devices, sell it on the dark web, or use malware to infect your entire organization’s network.

In addition to the standard type of email phishing attack, there are several different types of phishing attacks that you should be aware of.

Spear Phishing

Spear phishing is a targeted phishing attack that uses personalized emails to trick a specific individual or organization into believing they are legitimate. These attacks often target executives or those in financial departments with access to sensitive data.

Accountancy and audit firms are particularly vulnerable to spear phishing due to the value of the information their employees have access to. Once executed, the attack can infect more people in your organization and/or install dangerous malware on the targeted person’s computer.

Smishing

Smishing is a particularly sneaky type of phishing attack because it targets mobile device users who may be more likely to trust text messages than email. In many cases, smishing messages will appear to come from a trusted source, such as a bank or a delivery service. The message may claim that there is an urgent issue with your account, or that you need to take immediate action to avoid a problem. The message will then include a link or a phone number to call for assistance.

These links can be particularly hazardous, because they may lead you to a fake website that looks real but is designed to steal your personal information. Once you enter your login credentials or other sensitive data on this phony website, the cybercriminals behind the attack can use that information to access your accounts, steal your identity, or commit other types of fraud.

Vishing

Vishing is an insidious type of phishing attack that preys on people’s trust in phone calls. Instead of sending an email or text message, vishing attacks use Voice over Internet Protocol (VoIP) to make automated phone calls to a large number of people. Cybercriminals use pre-recorded messages that may claim that there has been fraudulent activity on an account or that there is an urgent matter that needs to be addressed. These messages are designed to create a sense of urgency and fear, making people more likely to act quickly without thinking.

To make matters worse, vishing attacks often use caller ID spoofing to make it appear as if the call is coming from a legitimate source, such as a bank or financial institution. The number may even match your area code, which can make the call seem more authentic—this is why it’s essential to be skeptical of any unexpected phone calls, even if the number appears to be from a familiar organization. If you receive a suspicious phone call, it’s always a good idea to hang up and call the organization directly using a phone number that you know is legitimate.

How Can You Recognize a Phishing Attack?

Here are some warning signs that should make you think twice when receiving any email, text message, or phone call:

  • Immediate threat. There’s a sense of urgency or immediate action—for example, that your account will be sent to collections if you don’t send payment information over immediately.
  • Links and attachments. There are suspicious links or attachments, especially from unknown or unexpected sources.
  • Sensitive information. The email, text, or caller asks for sensitive personal information such as passwords, Social Security numbers, credit card numbers, or bank account information.
  • Unprofessional tone. The email, text, or call contains poor grammar, spelling mistakes, or unusual language that seems out-of-character for the person on the other end.
  • Suspicious redirects and landing pages. The email or text message asks you to click on a link that redirects you to a suspicious login page that looks fake or poorly designed.

Be mindful that threat actors also employ these same tactics on social media. When you’re online, always be cautious and vigilant—never provide personal or sensitive information unless you are absolutely sure it’s a legitimate request.

cybersecurity trends 2021

5 Things You Can Do To Avoid Phishing Scams

1. Educate Yourself and Your Organization

Phishing attacks are becoming increasingly difficult to detect and recognize—education is essential for staying up-to-date on the latest threats and best practices.

Security Awareness Training (SAT) is an effective way to educate both individuals and organizations about the latest phishing threats and best practices. SAT provides interactive training modules that teach people how to identify and respond to phishing attempts. These modules can include simulated phishing attacks that test employees’ ability to identify and report phishing emails.

Organizations can significantly reduce the risk of successful phishing attacks by providing ongoing SAT to employees. Additionally, organizations can create a culture of cybersecurity awareness and encourage employees to be vigilant in identifying and reporting suspicious activity. Learn more about SAT.

2. Use Anti-Phishing Cybersecurity Technology

Cybersecurity technology solutions can be effective tools for protecting you and your organization’s data from phishing scams. For example, email security, including advanced threat protection, analyzes incoming emails and links to detect suspicious behavior, such as unusual sender addresses or URLs that don’t match the supposed sender. Additionally, these tools can have the ability to scan attachments and downloadable files for malicious content.

While anti-phishing software, like email security with ATP, can be helpful, it’s important to note that it is not foolproof and should be used in conjunction with other preventative measures, such as education and cautious online behavior. It’s also important to keep your cybersecurity software updated to ensure it is equipped to handle the latest threats. Many anti-virus and internet security software packages include anti-phishing features, so be sure to check what’s already included in your security software before downloading additional software—a technology partner can you help you determine the specific needs for your organization.

3. Use Multi-Factor Authentication

Multi-factor authentication (MFA)is a security feature that requires users to provide additional forms of identification beyond just a password in order to access their accounts. This added layer of protection makes it more difficult for hackers to gain access to your accounts, even if they manage to obtain your login credentials through a phishing attack.

With MFA, you must confirm your login attempt (and your identity) via a second factor, such as a text message, email, or alert-based response that asks for a unique code or to confirm the login attempt before gaining access. This way, even if a hacker manages to obtain your login credentials, they won’t be able to access your account without the additional authentication factor.

However, it is important to note that not all MFA solutions are created equal. With phishing-resistant MFA, instead of just providing a password, users are required to use a cryptographic key stored on a physical device, such as a security token or a smartphone app. This key is unique and can only be used once, making it nearly impossible for hackers to intercept and reuse it.

Many online services now offer MFA as an option, and it’s vital to enable this feature wherever possible. While it may add an extra step to the login process, the added security is worth the peace of mind of knowing that your accounts are better protected against phishing attacks and other cyberthreats. Keep learning: What Is MFA Fatigue?

4. Keep Your Operating System, Software, and Applications Up-To-Date

Keeping your operating system, software, and applications up-to-date is essential in protecting yourself against cybersecurity threats. Outdated software is a major vulnerability that hackers can exploit to gain access to your devices and accounts. Manufacturers regularly release patches and updates to address newly discovered security vulnerabilities. Neglecting to update your software can leave you vulnerable to attacks.

To stay on top of updates, make sure to enable automatic updates whenever possible. If automatic updates are not available for a particular software or application, set reminders to manually check for updates regularly. Remember, it may be inconvenient to update your software or operating system, but it’s much less inconvenient than dealing with the aftermath of a cyber attack.

5. Be Cautious of Public Wi-Fi

Public Wi-Fi networks can be a risk to your cybersecurity because they’re often unsecured, meaning that anyone on the network can potentially gain access to your device and steal your personal information.

Likewise, cybercriminals can easily set up fake Wi-Fi networks with names similar to legitimate networks, which can trick you into connecting to them. Once connected, the threat actor can monitor all the data transmitted over the network, including login credentials and other sensitive information. Always be cautious when connecting to public Wi-Fi and avoid conducting sensitive transactions on these types of networks.

What Should You Do If You Experience a Phishing Attack?

If you fall victim to a phishing scam, change your passwords immediately and notify your bank and credit card companies if necessary. Not sure where to start when creating a new, more secure password? This blog helps guide you through the process of creating more secure passwords.

You should also run a malware scan on your devices to ensure they haven’t been infected.

As with any cyberattack, be sure to report the incident to your IT authority, whether it’s an in-house staff member or managed services provider. They can help prevent others from falling victim to the same scam and help diagnose any impact on the organization’s overall IT ecosystem.

We Help Keep Your Business Safe.

Phishing attacks show no sign of slowing down—knowing how to recognize and avoid them is more important than ever.

Recognizing the warning signs such as immediate threats, suspicious links and attachments, and unprofessional tone can help you avoid falling victim to phishing scams. However, the best defense against phishing attacks is having a robust, multilayered cybersecurity system in place that includes technology, people, processes, and education.

Don’t wait until it’s too late—start safeguarding your organization’s sensitive information and avoid the costly consequences of a phishing attack. Contact us today to learn more about how High Touch can help keep your business safe.