Dear Client,
Your debit card appears to have been compromised. Click here to verify your account number and give us your password. We promise this is a legitimate request and not an attempt to steal your identify.
Sincerely,
“Your Bank”
If only phishing attempts were that obvious. In the early days of “phishing, ” one might receive an email from prince in Nigeria with a request for money or a relative overseas who needed money to get back to the States. Today, it’s much harder to tell a phishing email from a legitimate one. Targeted phishing emails remain a common method of infecting network systems with malware. Updated anti-virus security software will detect many forms of malware and block infection, but truly effective cyber-security relies on user vigilance. Employers must develop training for all employees that not only addresses secure user behaviors like creating strong passwords and keeping software up-to-date, but also educates users on the latest cybercrime schemes and how to recognize and manage phishing emails.
What is Phishing?
According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.” Cyber criminals use emails designed to look like they came from a legitimate bank, government agency, or organization. Typically, these emails ask you to click on a link that goes to a page where a form asks for personal information or account information.
Tips to Protect Yourself and Your Company/Organization
Here are some tips to help you recognize phishing emails, so you do not get caught in a cyber criminal’s trap. While these tips are not foolproof, they will certainly help you better understand the difference between legitimate emails and phishing emails.
- A real company does not request sensitive information in an email.
Companies know that phishing emails are a real problem. Look at the legitimate emails you receive from your bank. They always tell you to log into your online bank account to provide them sensitive information. A real company will never ask you to click on a link that takes you to a website to enter sensitive information. If they do, stop doing business with them.
- A real company knows who you are.
Phishing emails often have generic greetings. You do have to be careful here, however, because smarter cyber criminals may have done research on the organization and use a legitimate name and title in a phishing email.
- A real company sends emails from their own domain.
If you have any doubt about a received email, always check the domain where the email is being sent from. You can test the email address by hovering your mouse over the “from” address. This is not a foolproof method as sometimes companies use other domains to send emails to customers.
- A real company knows how to spell and use correct grammar.
This can be subtle. Most companies take great pains to make sure the spelling and grammar within their emails to customers are accurate and proper. If the text in an email seems off, it could be a tip-off to a phishing email. Also, the description of currency can be a tip-off. $100 USD is not a normal way to describe a price. Unless you do a significant amount of international business, using USD to describe U.S. dollars is not common.
- A real company does not send image-only emails.
Some phishing emails look like they contain text but only include an image. The danger is that the picture could be one big hyperlink. You may be thinking you’re clicking on a link in the email when in fact you’re clicking on the image.
- A real company does not randomly email attachments.
Receiving an email from a company with an unexpected attachment is another tip-off that the email might not be legitimate. While this is not always the case (you could receive an invoice via an email attachment) be very skeptical about the email if it contains an attachment you are not expecting.
Steps to take if you identify a phishing email
- Make sure you do not click on any links within the email or open any attachments. Also, be careful before you click on any pictures that might be contained in the email.
- Don’t reply to the sender.
- Report the phishing scam to the FTC at spam@uce.gov.
- Delete the email. Make sure you physically remove it from your computer. If you are using Outlook, make sure to use the Shift|Delete keys, not just Delete. Deleting an email in Outlook moves it to the deleted items folder. Using Shift|Delete physically removes the email from your computer.
- If you do business with the company mentioned in the email, you can check with the firm (we suggest calling them) to let them know their name is associated with a phishing email.
- If you are not sure a received email is legitimate (especially if it has an attachment that you are not expecting), send a separate email – don’t use reply! – asking the individual if they sent you the attachment.
Again, none of these tips are foolproof. They will, however, provides you with a quick checklist you can use when evaluating a suspicious email.
The greatest asset of your organization is your employees. The most significant security risk for your organization is also your employees. We all need to be reminded constantly that not every email you receive is legitimate, and making your employees aware of what to look for is a great first step.
The information in this article was obtained from various sources and is not all inclusive regarding the subject matter. This content is offered for educational purposes only. Posted with permission from Steve Anderson.
