If businesses have a single clear and present danger that puts them most at risk its phishing. Because of this I’m going to be covering this topic of phishing and social engineering in a number of posts.
What is phishing?
Phishing is the attempt to acquire information for malicious reasons by pretending to be a known or trustworthy source, typically by electronic means. For example, you may receive an email that looks like it is coming from your bank asking you to log into your account to review a transaction.
Playing to your emotions
Phishing attempts tend to play to your emotions. Watch out for these potential triggers.
- Financial Gain – they may offer a reward of some kind if you click on a link or login to your facebook page. If an email offers something that seems to good to be true…you know the rest.
- Urgency – the message sent will have a deadline for performing the requested action
- Curiosity – we’re naturally curious. Showing us something interesting gets our attention
- Fear – probably the most common one. These scare us into performing an action to prevent a negative consequence
The “Call to Action” of the phishing attempt is what the entire purpose is. In fact its the main outcome of all social engineering attempts. The attacker is looking for you to do something for them. That could be clicking on a link to a fake website that asks for your password or just a verbal request to wire money to a new offshore bank account coming from your CEO.
How to Protect Yourself
- Be a skeptic. Don’t click on direct links in your emails, type the web address directly into your web browser
- Watch out for poor spelling or bad grammar. This is a tell, but good grammar doesn’t mean that the message is legit.
- Pick up the phone. If an usual request comes from your CEO or your bank, give them a call.
- Although a message looks like it came from an internal employee, it may not be. Ask questions.
- Ensure your software is up to date and that your anti-malware software is properly enabled.
- Watch out for fake invoices attached to your mail.
If you realize you’ve been caught by a phishing attempt, reach out to your IT people as soon as possible for next steps.