Don’t Take the Bait! How to Tackle Phishing Attacks

The amount of email phishing attacks, and the sophistication of how the scams are distributed, has increased over the past year. These scams are successful enough for cybercriminals to make massive profits and access valuable information, so it doesn’t look like they will be going away anytime soon. Fortunately, there are ways to avoid becoming a victim of a phishing scam. Here are some basic guidelines to keep yourself, and your organization, safe:

What is a phishing email?

A phishing email is an email that hackers use to trick you into thinking that the email you received is from someone you know, or from a trusted source. There is often a link or an attachment, usually with some sense of urgency, for you to click on. These links and/or attachments allow an open door to your email, and systems, for hackers. Sometimes the hackers will first attempt to gain your trust by starting a simple email conversation.

It is important to verify the sender of the email and all attachments before taking any action with an email. Don’t let curiosity get the best of you! Take the time to verify each email.

How can I verify senders, links and attachments?

Know the things to look out for:

  • Red Flags within content of email - Emails with spelling and grammatical errors should raise immediate suspicion. Any email that is littered with errors should be scrutinized to determine authenticity and discarded if it looks like a phishing scam.
  • False sense of urgency lures - Any email that asks you to confirm personal, financial, or other sensitive information over the internet should be treated cautiously. An unexpected email from an association asking you to confirm your account information, or an email from your bank telling you that your “card has been declined and needs to be updated” should be well researched. Emails with a sense of urgency such as "Your account will be suspended if you don't update your account info" or "Failure to login will lead to your membership being disabled" should trigger suspicion. Instead of using the links they provide, open a web browser and type the website into the address bar to check the legitimacy.
  • Payment / Gift Card / Member Information requests - When receiving emails asking for money or membership information, you should always check with the party in question to confirm authenticity even if you are expecting it. Always call and verbally confirm any email asking for action that involves money or payments.
  • Does the email match your role or the role of the sender? - Often phishing scam emails will contain requests that have nothing to do with the sender’s role or your role. For instance: a Legal Assistant is sent an attachment labeled “overdue invoice”, however those requests should be sent to and handled by the Accounting Dept. This email should immediately raise concerns.

What do I do if I am sent a suspicious email?

Don’t click!

Never click on a link or open an attachment without completely understanding where the email has come from. You can hover over the link and ensure the link is coming from the correct address. For instance, a link will look like it’s coming from “Drpobox” but hovering over the link will show that the destination is not truly coming from Dropbox. Look again. Does Drpobox.com look right? One letter swapped, and your mind is still seeing Dropbox.com. Rearranging letters is very common in phishing scam emails.

If you click on the infected link or attachment, you have just compromised your computer and/or your files. You potentially have also compromised the systems of everyone that you are associated with.

Report it!

If you see a suspicious email, stop and directly report the email to your IT department. Do not forward the email. If you forward it, you increase the odds of whomever clicks on it to be compromised. Your IT department will know how to deal with this email.

How can these types of emails be blocked?

Get a good spam filtering system

Most built in spam filtering systems that come with email systems are adequate, but scam emails are still able to get through. There are enterprise business class types of spam filtering systems that will prevent the influx of these emails and other types of potentially dangerous emails with attachments.

Use the latest version of Microsoft Office

The latest versions of Microsoft Office are now introducing features that scan inbound emails for emails that are potential phishing emails. This new system should drastically reduce the types of these emails.

Education and skepticism are the best defenses

There is no way to prevent hackers from sending phishing emails. Phishing is a profitable enterprise. Microsoft and other IT companies continue to take steps to prevent you from becoming a victim, but there will be times that phishing emails will land in your inbox.

Develop a habit of being skeptical of each email you are sent, especially from an unknown sender. Continue to educate yourself about phishing attacks and stay up-to-date with news regarding the latest “lures” used in phishing scams. Pass this information along to your staff, or contact Hilltop to discuss educational resources and training.