Have you or someone you known ever been a victim of a phishing attack? Either through a phone call, email, or even a text message? All it takes is one unsuspecting individual to click or agree to something and all of your personal information could be compromised. Or worse, your company assets.
A company's first, and last line of defense are its employees. Employees are delivered these phishing attempts with varying levels of difficulty. Attacks have gotten so sophisticated that they can appear to come from your allies within your own team.
The numbers are clear. Organizations are thinking about phishing attacks on their staff. Training your entire team on these threats is the best investment you can make to prevent very destructive breaches.
Should I click on something I am curious about? Do I report the email to my security team? Should I delete the email? All these are valid questions you and your organization should have the answers to. The best way in identifying phishing attempts is to understand what exactly is being asked of the sender. Below are some questions you can ask yourself when deciding on whether an email is a phishing attempt or not.
Phishing scams come in all shapes and sizes. Having the insight to spot them is what we can provide you and your organization. Spending a small amount of time in training your staff will save you the headache later cleaning up a breach.
Is the sender known and a trusted source? Make sure the sender is someone you actually know. If you are receiving an email from an unknown source or individual, that should be a red flag to proceed with caution. Pay close attention to not just the sender's name in the email, but the email address itself. Check to make sure the source is familiar or isn't slightly off a little. That is very common with phishing attacks.
Does the subject material make sense?
Quite often phishing emails received by your employees will not be relevant at all to the work they do. And sometimes they can seem relevant to what you do. These are the sneaky ones you have to look out for. Take a look at this example phishing email below:
Example threat by email:Email phishing scams can be hard to detect. But the little time it takes to properly train now will benefit you and your organization later.
The email itself looks to be very uninviting. It is also coming directly from "Squarespace's Trust & Security team." They most likely would not address themselves in this way. Do you have a Squarespace account? Should you be getting this email? If you do, does this look like something they would send?
Let's say all of the stars aligned, you had a Squarespace account, you didn't know how their safety team would address themselves to you, and you received this type of email. The next step in determining a phishing attempt is looking at the links and URLs within the message.
What kind of links and URLs are in the message? When you hover over a link you will notice a small white box with text pop up in the bottom left corner of your browser. This box shows the actual destination the link will take a user to despite what the text in the URL shows.
If the destination and the URL do not match up, it is most likely a phishing attempt and the link should not be clicked. For example, if the URL seems to be pointing to Squarespace support, but the link destination shown in the white box in the bottom left corner shows somewhere completely different, then this is a red flag!
Think about which email account you are using. If you have access to both your personal and work email accounts on the same device, then you will most likely be getting email notifications for both accounts.
Let's say there is an upcoming baseball game you want to attend. You buy the tickets online with your personal email account linked to it. Then, a couple days later you receive an email sent to your work email where the body of the message refers to baseball, tickets, or something purchased. You remember you just bought tickets to a baseball game, so you immediately think to open the email and see what's going on.
If you bought the tickets under your personal account, then you should not be receiving anything related to those tickets on your work email. That should be a red flag to report the email or delete it altogether.
Talk to us about training your staff to protect your organization and it's assets from cyber threats. Be sure to check out our ASAP training page for more information.