What is phishing?
Phishing uses scam emails to convince you to click on a malicious attachment or link. The emails may look legitimate and appear to come from senders you know, such as a financial institution, a software or hardware provider, other reputable organizations or individuals in your company or professional network.
The goal is to get you to download an attachment or click on a link to complete a seemingly urgent request. These attachments often bypass security and anti-virus programs by using Microsoft Office macros that download malware if they are run.
Links may connect to seemingly legitimate websites, which exploit vulnerabilities in your computer to install malicious code. Alternatively, these webpages may simply trick you into entering personal information, such as usernames and passwords, that can then be used to access sensitive financial, customer or personal data.
Sophisticated attackers aim convincing spear phishing emails at carefully selected individuals, researching recipients through social media, LinkedIn and other publicly available data online. These emails seem to be from an individual that you know and trust, making it more likely that you will click on the link, download the attachment or otherwise open your system to vulnerability.
High-volume phishing, on the other hand, targets as many recipients as possible – of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.
What are the risks to your business?
- Data theft (or encryption for ransom)
- Hardware damage
- Fraudulent Internet banking redirection
- Financial theft
How you can defend your business against phishing
- Install and update reputable anti-virus software, and keep systems up to date with new releases and security patches.
- Never open attachments, click links or download software from unknown sources or questionable websites.
- Implement protective policies and training to ensure staff have the knowledge to conduct business safely online.
- Limit access to systems and information based on job duties, and split financial responsibilities between employees.
- Restrict Internet access to trusted websites and limit the use of external media devices.
- Be aware of what information is available about you and your organization on social media . If you know what can be found, you can be more alert to its use in an innocuous-looking email.
Most importantly, learn to spot suspicious emails! Here are just a few telltale signs:
- An unexpected email, such as confirmation of a form you haven’t submitted or an order you haven’t made.
- A new email address from a sender you know.
- An unusual greeting or title in the subject box.
- A strange tone or odd language.
- An unusually urgent request from a known person.
- An unusual attachment or a request to enable macros.
- Being redirected to a website that looks similar to a website you visit frequently but seems subtly different.
- Any email or link asking you to enter a password.