Phishing scams are nothing new, yet they continue to remain a major threat to companies around the world. These scams work by tricking users into clicking on a malicious link or attachment that could install malware onto your device or lead you to a website that looks legitimate, but instead is a counterfeit website designed to get you to share personal information like account numbers, passwords or Social Security numbers.
In 2016, three out of four companies reported falling victim to phishing, according to Wombat’s State of the Phish 2017 report. And according to Symantec, phishing rates increased across every industry and organization size in June 2017 except for the public administration sector. In fact, in June, the phishing rate increased for the third month in a row to one in 1,975 emails—the second highest rate we’ve seen in the last year.
Businesses are vulnerable to two main types of phishing attacks:
- Mass phishing – which takes advantage of a well-known company’s brand name to lure customers to spoofed websites where users are asked to share sensitive information.
- Spear phishing – where hackers target specific individuals and include personalized details in an email to make them appear like a credible source. The hacker uses this impersonation tactic to make requests of the individual, like wiring money.
Here are six tips to protect your organization from the risks of a phishing attack:
- Don’t download files, click on links or open attachments from unknown senders
This might sound obvious, but it’s worth mentioning because, according to Verizon’s 2017 Data Breach Investigations Report, 30 percent of phishing emails get opened. We can be quick to read through our email and might accidentally click on a phishing email or malicious link. Slow down and trust your gut—if something looks suspicious, don’t click on it. These emails, links and attachments can lead to malware, virus infection or worse. If you don’t know the sender, search for the domain name through Google to see where it comes from. If you’re still unsure who the sender is, it’s usually best to delete the email without opening it.
- Double-check the email address
Even if you do know the supposed sender, you should still be cautious. Hackers can easily modify email fields to change a display name, sender name, reply name, etc. They often create email addresses that look nearly identical to that of someone you know, like your boss or bank. It might mean simply leaving off a letter (like .co vs. .com), using a “1” instead of a “l” (like Jennifer@gmai1.com vs. Jennifer@gmail.com) or slightly misspelling a domain name. Pay close attention to the sender’s email address and domain name. Most email platforms display the sender’s first and last name in the “from” box, not the actual email address. To double-check the email address, hover over the sender’s name. If something looks off, contact the company or person directly to inquire.
- Be wary of requests for action
Phishing emails often come in the form of a request to wire money or perform a bank transfer. And these requests typically come from email addresses that look like or are identical to that of someone we know. To avoid having your employees fall victim to such an attack, establish a procedure that requires anyone who’s asked to do a money transfer to authenticate the request via phone or in person with the person who sent the request.
- Don’t send sensitive information
As a general rule, never give out personal or otherwise sensitive information over the Internet. When you get an email from your bank or a company like Facebook asking for your username and password or posing some other call to action, consider the context of the request. If there is a sense of urgency—something like, “Your account will be locked if you don’t take immediate action”—take a step back to investigate before performing any action. Companies should not be asking users to enter sensitive information via email. If you’re unsure of the authenticity of the request, call the company to confirm.