Phishing
What is Phishing?
Phishing involves attempts to gain access to a victim's personal accounts or capture their sensitive data by tricking them into revealing passwords or personal information. Phishing is undertaken through multiple channels, including email, mobile, social media, and phone calls.
Phishing emails and text messages may look like they’re from a company or person you know or trust, e.g. a colleague, a bank, a social networking site, etc. Phishing messages often tell a story to trick you into clicking on a link or opening an attachment. For example: they may say they’ve noticed some suspicious activity or log-in attempts, claim there’s a problem with your account or your payment information, and so on.
How to recognize phishing?
Some specific signs of phishing are:
- Unfamiliar tone or greeting: Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably ask you to contact them via phone.
- Grammar and spelling errors: Possibly the easiest way to recognize scam is bad grammar and spelling. An email from a legitimate organization should be well written.
- Sense of urgency to encourage, or even demand, immediate action. The scammer hopes that by reading the email in haste, the content might not be examined thoroughly.
- Request for Credentials, Payment Information or Other Personal Details: emails originating from an unexpected or unfamiliar sender that request login credentials, payment information or other sensitive data should always be treated with caution.
- Inconsistencies in Email Addresses, Links & Domain Names: Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: michael@ipcom.be vs. michael@1pcom.be. If a link is embedded in the email, hover the pointer over the link to verify what ‘pops up’. If the email is allegedly from PayPal, but the domain of the link does not include “paypal.com,” that’s a huge giveaway. If the domain names don’t match, don’t click.
- Too good to be true emails are those which incentivize the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate the contact, the likelihood is this is a phishing email.
- Suspicious Attachments: Most work-related file sharing now takes place via collaboration tools such as SharePoint, OneDrive or Dropbox. Therefore internal emails with attachments should always be treated suspiciously – especially if they have an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.).
How To Protect Yourself From Phishing Attacks
Your email spam filters may keep many phishing emails out of your inbox. But scammers are always trying to outsmart spam filters, so it’s a good idea to add extra layers of protection. Read the below tips to protect yourself from phishing attacks.
Be vigilant
Requests for personal data or immediate action are almost always scams. When in doubt, don’t respond. Always first think, then click!
Strong passwords
Protect your accounts with strong passwords. Your passwords should meet following criteria: 8 characters with at least 1 uppercase, 1 lowercase letter, 1 number and 1 special character. Never re-use your organization passwords for non-work related purposes.
2FA or MFA
Protect your accounts by 2-Factor or Multi-Factor Authentication. It requires two things in order to gain access to your accounts: something you know (your password) and something you have (typically a one-time code sent to your phone). When accessing your account you need to enter your password and then enter the one-time code displayed on your phone.
Use secure devices and networks
Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats. For devices issued by the company, this is taken care of by your IT-department. Be extra careful with personal devices. These might not have the proper security in place to access sensitive company data.
Public wireless networks and hotspots are not secure. This means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them. Limit what you do on public WiFi, and avoid logging in to key accounts like email and financial services.
What To Do if You Suspect a Phishing Attack
When getting an email or a text message that requires you to click on a link, open an attachment or fill your personal information, ask yourself this question: Do I have an account with the company or do I know the person that contacted me?
- If the answer is “No”: it could be a phishing scam. Look for signs of a phishing scam (see above). If you see them, report the message and then delete it.
- If the answer is “Yes”: contact the company using a phone number or website you know is real. Don’t use the information in the email! Attachments and links can install harmful malware.
If you think you clicked on a link or opened an attachment that downloaded harmful software, immediately lockdown your computer and contact your IT-department.
Human Firewall
Last but not least, always remember that security starts with you. A company may have the most secure system in the world. It only takes one inattentive person to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Let’s join forces to secure the business network and build a human firewall!
