How to Protect Your Business from Phishing
What is Phishing, and how do we avoid it? Much like the word it’s based on, phishing requires skill, some luck, and bait on the part of the hacker. It’s the process by which a hacker gains access to personal information by faking an email and/or website in order to trick you into willingly entering the information yourself. Professionals, businesses, and private individuals are all the fish (targets), and the anglers (hackers) are only getting smarter.
How does it work?
Phishing often requires an emotional response in order to shut down your brain’s critical thinking skills. Humans tend to ask fewer questions and move quickly when we’re in panic mode. A good example of non-digital phishing would be the phone calls that went around asking the elderly for money to make bail, pretending to be their children or grandchildren. However, don’t think that just because you’re younger and sharper than your parents that you won’t be susceptible to a phishing attack. Facebook and Google were both scammed out of more than 100 million dollars by an Eastern European hacker who sent them fake invoices for years that the tech giants just… paid. It can happen to literally anyone.
Recently, I was almost the victim of an email phishing scam. I write a great number of these blog posts, and I know the signs, but a well-designed scam at the right time can get almost anyone if you aren’t paying attention. An email came in saying that my apple account had been compromised and I needed to change my password. I did what any responsible adult would do, I clicked on the link to reset my password and started typing out my information. However, it was asking me questions that it shouldn’t have, and upon further inspection, the website was completely fake. Links didn’t lead anywhere, and it was just a JPG image fooling me into thinking it was Apple’s official website. I almost entered in all of my personal information when I stopped myself and started taking my own advice. “This is a scam.” I immediately closed out of the website and ran a virus scan. While that was going, I went to Apple’s real website and changed my password from there.
These steps are important, because it’s what I should have done in the first place. If you receive an urgent email asking you to enter account information, never react the way the email wants you to. This is exactly how phishing emails typically work. When you have sensitive information like credit card numbers or banking info, it seems natural to want to protect it as quickly as possible. However, services like Google and Apple will never send you an email asking you to click on a link for their account information. Typically, you will get an alert letting you know that you’ve been logged in on an unknown device, or something of that nature. This happens to me sometimes when I switch from my PC to my Macbook Pro. However, it never contains an actionable link. This is done to prevent the mental conditioning that hackers need in order for you to be frightened enough to give away your personal information.
Practically speaking, how do we spot a phishing attempt?
1. Never react with emotion. Never click on links that promise you’ll be able to save your account from hackers. Be suspicious of everything, even properly branded emails that look legitimate. Oftentimes, hackers will use stolen logos, fonts, and styles to trick the more savvy users into buying into their scam. They’ll even go so far as to create fake websites that look identical to the official one.
2. Be on the lookout for spelling errors. Often, these scams don’t originate in America, and minor grammar mishaps are more common with non-native speakers. While there may be a handful of grammatical errors in official emails as well, be careful when you see anything out of place. Emails from large companies like Apple or Amazon go through a long process before they reach your inbox, and glaring errors are often corrected before they leave the marketing department.
Make sure the design looks official. Sometimes, the logo of the company is in poor resolution, or it’s formatted in a strange way. Sometimes, the logo may have just updated or changed and the hackers are still working with a previous version. Never say “oh well, that’s weird but I’m going to ignore it.”
3. Call to confirm important emails. Austrian aerospace executive Walter Stephan holds the record for being the individual to lose the most money in history from a single scam – around $47 million. It was all because his employees didn’t call and confirm an important email that came out of nowhere. A low-level accountant didn’t feel like they had the ability to call and confirm, so they unknowingly went along with the scam. Empower your employees to double-check with you. Not only will it help you build relationships with your team, but it will help you avoid costly mistakes.
4. Finally, just don’t click on links in emails. If you get an email telling you to do something, even if it’s official, just go to your account manually and do it yourself. This will help you get to know your vendors and accounts, and also completely destroys the effectiveness of this kind of phishing attack. As a bonus, the steps you need to take are never difficult and you may have saved yourself a lot of hassle.
Once you have implemented these steps into your training and processes, it’s still important that you consult with professionals. Even the people who write this stuff have the potential to mess up as evidenced above, and you can always use a second pair of eyes on your process.
Are you looking to make improvements to prevent a potential phishing attack? If so, reach out to Creative Network Innovations today.
Our team of security professionals will work alongside your business to develop an IT strategy proven to reduce the chances of a phishing attack by training and working with your staff. In this ever-evolving world of new pitfalls and attacks, it’s important that you keep you and your staff up to date on the latest techniques and safety measures.