The first thing to know about phishing scams is that no matter your industry or business size, you’re not immune.
Whether you’re a single-location medical office or Fortune 500 company, hackers are targeting your business with any and all digital contact information they can get their hands on. If your company uses emails or phone numbers (and most do), you’re at risk of falling victim to a phishing scheme.
The second thing to know is that phishing is the top social engineering attack on businesses (growing 65% last year alone), and is responsible for nearly 90 percent of security breaches. That means your employees are at risk more than ever when it comes to unwittingly divulging their personal information or your business data.
Phishing attacks put your team’s livelihood at risk, your business finances at risk, and could even result in negative PR that can have a lasting effect on your community’s trust in your brand.
But, there’s also some good news when it comes to protecting your business against lurking threats.
Training your team to spot and avoid phishing scams is your first line of defense against cybercriminals. This means, through reinforced advice and good habit-building, scam spotting can become second nature to your staff. And since information is power, here are six rules of thumb to pass along to your team and start empowering them to raise their cyber defenses.
6 Things To Know About Phishing Scams
1. Email subject lines can be urgent, enticing, or downright scary
“You’re one of 5 winners! Claim your prize now”
“Your subscription has expired. Update now or lose your data”
“You’re using my personal images on your website and now I’m going to sue!”
Through social engineering, an attacker will use personal data to craft subject lines that their intended victims will find interesting or relevant. However, these email headers are often too good (or too outrageous) to be true. A good rule of thumb is to be wary of any subject line that’s meant to elicit a strong emotion, like fear or shock.
2. Email addresses can be spoofed
Just because an email looks like it’s coming from a reliable source, doesn’t mean it is. A good place to look is the domain of an email address to see if it’s misspelt, like “@tekmangmnt.com.” If you’re unsure about the spelling of a domain (some businesses use acronyms, for example), the best way to check is through a quick search for the company’s website in a search engine like Bing or Google.
3. Hackers can (and will) use real brand images and logos
Does the Microsoft logo in that email signature look legit? It probably does. That’s because anyone can grab an image off the web and add it to their email. Some cybercriminals will even have their emails styled professionally, so their request looks branded and believable. Just because an email has a PayPal logo, PayPal font and a button in PayPal blue, doesn’t mean it’s from PayPal.
4. There’s more to a link than looks
Just because a link looks legitimate, doesn’t mean it won’t take the clicker on a nefarious cyber journey. Before clicking any email link, it’s best practice to hover over it and wait until a URL preview appears. Do the URL’s match exactly? Be on the lookout for sneaky variations such as .co or .net.
5. Danger can be found in attachments, too
It can be hard to resist clicking an attachment in a phishing email, but threats lurk there, too. Attachments might ask you to download a malicious file, or a link to a bogus website. If you do click an attachment and receive a pop-up warning or the application asks you to adjust your settings, then don’t proceed. Instead, you can always contact the sender through alternative means and ask them to verify that it’s legitimate.
6. Look for poor grammar, not just spelling
Some scammers use translation devices and spell checkers to ensure words are spelled correctly, but those checkers usually miss grammar. It’s important to remember that anyone can make a typo or mistake, but to also think critically about the type of mistake in an email (like accidentally hitting an adjacent key, versus using words in the wrong context).
What if an employee does click that phishing link?
Clicking a link can be a small mistake with big repercussions. For that reason, employees might feel hesitant to report falling victim to a scam. Make sure your employees feel comfortable letting you know if they’ve clicked a dangerous link or attachment, and don’t just delete that email and hope the troubles will go away.
The next best step is to contact your IT department or provider so they can take appropriate action to protect your data and assets.
Sign up for our ‘Scam of the Week’ emails
No, we won’t send you real phishing scams (but good for you for being scrutinous!). When you sign up for our email series, we’ll keep you in the loop each week when it comes to current schemes targeting businesses. Cybercriminals are continually getting wiser and more creative, so our aim is to keep you a step ahead of the latest threats.
If you have questions about phishing training and data protection, we invite you to set up a call with our cybersecurity team. Our job is to stay abreast of the latest scams and fail-safes, so you can better focus on your business. Contact us through our website, or call (541) 779-4777.