Phishing is an attempt by cybercriminals to steal your money and data using malicious email messages, websites and sometimes even phone calls. These criminals gain access to your information by installing software on your computers that is used to steal valuable information. In some cases, they will also initiate social engineering attacks through email, a direct phone call to you or persuade you to download malicious software from a website. If an attacker targets your network today with a phishing email, it’s almost certain someone will fall victim. It only takes one to compromise your network so if it’s guaranteed your employees will fall victim to these attacks; you need to start thinking, today, about how to educate your employees of the dangers of phishing and social engineering attacks.
A 100% guarantee that at least one person on your network will get hacked!
I know beyond a shadow of a doubt your employees will be attacked. This is one bet Vegas will never go against because they would be out of money on day one. I myself have been phished numerous times through emails and telephone calls. I once got a call from a scammer who explained that Donald Trump had found millions of dollars that I needed to claim and the phishing emails I’ve received are far too many to count. According to Security Affairs, 97% of people cannot identify phishing emails. This is a huge problem that needs to be addressed with education immediately! In another study, Intel Security asked people to identify phishing emails from 10 different email examples. The data for the study was collected in 144 countries, and 19,000 people were surveyed. The results of the study are staggering.
- Only 3% surveyed identified all 10 emails successfully
- 80% surveyed got at least one wrong answer
- The worldwide average was 65.4% missing 1 out of 4 phishing attempts
The end user is the weakest link
The study brings up a glaring hole in network security; your end users. If 80% surveyed got at least one wrong answer and it only takes one to compromise your network; the odds are highly against you. You will be compromised. The only question now is will it be a banking Trojan that steals large sums of money from your bank account, will it be an attack that steals Personally Identifiable Information, will the attackers cause physical damage to your systems or will they use your resources to initiate large-scale attacks across the internet? Maybe it will be all of the above? Whatever the outcome, it is always terrible and usually results in a loss of revenue or reputation to the victims.
How to Identify Phishing Attempts
The great thing about phishing emails is that with a little investigation, you can usually identify and avoid these attacks. Microsoft does a great job of helping to identify some key items in emails to be suspicious of when you suspect you have received a phishing email. Take a look at some of the key items Microsoft has identified.
Here is an example of a suspicious hyperlink. When hovering over it, you can see the actual hyperlink doesn’t match the address presented in the link.
Don’t forget about those phishing phone calls. I don’t have a graphic for that. You have to use common sense and listen to what the caller is asking you. Never give out confidential information over the phone including usernames and passwords. Never go to websites and download software from a phone request.
Educate Your End Users!
- Hover over links to identify spoofed links; make sure that an embedded link is taking you to the exact website it presents
- Inspect emails for obvious red flags: misspelled words, incorrect URL domains, unprofessional and suspicious visuals and unrecognized senders
- Visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on the retailer’s homepage
- Do not click on any links in any email sent from unknown or suspicious senders
- Do not forward the suspicious email as you may just help spread the threat to others
- Do not download content that your browser or Antivirus identifies as malicious
- Do not give away personal information like your credit card number, home address, or social security number to a site or e-mail address you think may be suspicious