Phishing is the most common form of cyber attack, affecting over 3,600 reported victims last year in the Canada alone. It is a social engineering tactic used by cyber criminals whereby the criminal will send an email or text message impersonating a trusted source and requesting that people provide information, download an attachment, or click a link. Through these deceptive practices, criminals trick people into disclosing passwords, credit card details, personal private information, or installing malicious software.
To protect your business from phishing attacks, it is imperative that everyone in your organization be able to recognize the signs of a phishing email and know how to report suspicious activity.
Recognizing Phishing Attacks
Phishing emails and text messages typically appear to be from an organization that the target trusts, such as the government, social networking websites, financial institutions, credit card companies, online marketplaces, the target’s employer, or one of the target’s clients.
The message presents a scenario that requires action on the part of the recipient. Common examples include:
- “We’ve noticed some suspicious activity on your account”
- “You need to update your payment information”
- “Please see the attached invoice and process payment”
- “Please confirm your email address”
- “You are eligible for a government refund”
What are the signs that this is a phishing email?
- The generic greeting “Dear,” without the recipient’s name
- The grammatical errors (e.g., capitalizing “Us”, “Blocking”, “Note”, and “About” mid-sentence as well as inconsistent spacing between words)
- The sender name is very unusual “{L’nkedIn}”
- The sender has a domain “@parax.co.uk” that is not from LinkedIn
- The link to verify the recipient’s account is overly urgent
Inspecting a message by first looking at the sender details, the text of the message, and the call to action is the best approach. If any of these elements appear suspicious, do not engage with the message and report it immediately.
Reporting Phishing Attacks
Suspicious messages sent to your business email address should be reported to your IT service provider. When reporting the suspicious message, it is always best to do so offline. The attack is coming via email, so forwarding the message to additional parties only increases your organization’s risk factor. Where possible, report the message face-to-face or over the phone.
If the suspicious message is sent to your personal email account, call the organization that is being spoofed and report the message. For example, if you receive a suspicious message from your bank requesting a password reset for online banking, call your local branch immediately. They will confirm that the message is phishing, instruct you on what to do next, and take appropriate action to prevent other clients from being defrauded.
If you accidentally click on a link, download an attachment, or reply to a phishing message in error, do not attempt to resolve the problem on your own. Again, report the incident to your IT professional to ensure everything is addressed according to company procedures.
Preventing Phishing Attacks
Your organization’s cybersecurity strategy should include policies, practices, and procedures that prevent phishing.
Technical tools such as spam filters, anti-virus and anti-malware software, firewalls, multi-factor authentication, mobile device management, and password security will help your organization, however, this post should make it clear that education is the key to preventing a disaster.
For business leaders, you should be asking your IT service provider what they are doing to prevent phishing attacks and asking yourself if your employees are properly educated on cybersecurity threats.