Phishing is the little black dress of cyber-attacks: always in fashion, goes with anything, and, despite being around for over 20 years, still seems to be a hit. In fact, a recent experiment by JPMorgan showed that 1 in 5 employees will click on a phishing email.
Even more troubling, a recent study by the Ponemon Institute showed that phishing can cost an average 10,000-person company $4 million USD annually. When you add in the fact that more and more cybercriminals are using phishing attacks to spread dangerous (and expensive) malware and ransomware, it’s easy to see the importance of stopping phishing attacks before they start.
These attacks have the potential to become a huge professional concern as well; the CEO of FACC was recently fired after an email scam that appeared to come from his email cost the company over $54 million. It may be that when an email comes through with your name on, even if you didn’t send it, you could be held responsible.
But don’t lose hope, there is good news! In order to be effective, phishing attacks still need us to play along and do something we shouldn’t — send over information, download attachments, or click on malicious links, etc. We just finished putting together a new guide that highlights all the different ways attackers try to trick us into doing those things (you can check it out here), and as we were writing it, we identified seven good email habits that smart users follow in order to see through the ploys and keep themselves safe:
- Check twice, click once: Before you click on any links in an email be sure to hover over the hyperlink to see the destination URL first. Phishers will often hide their URLs in email text with things like “just click here to confirm” or “we just need some more information, please "fill out this form” in order to get someone to click without thinking about it. Hovering over the linked-text will show you the URL that the link is pointing to. If it’s not familiar, don’t click.
- Check with the sender if you’re unsure about an email: A favorite tactic of phishers is to find a list of executives at a company and send emails impersonating those executives to get employees to reveal sensitive information. If you get an email with any request that seems out of the ordinary — no matter who it is from — you should check with the sender to confirm it is legit. If that person says they didn’t send an email then you issue should report it to IT immediately.
- Learn to recognize phishing red flags: Spelling errors, vague requests, misleading headlines, and odd groups of people in the “To” section are all signs you may be looking at a phishing email. It’s always better to be safe than sorry with emails, so if you see anything that looks even a little suspicious be sure to check with IT before responding, downloading any attachments, or clicking on any links.
- Avoid sending confidential information over email: Phishers will often email employees and ask for sensitive information such as users’ passwords, W-2s, or corporate banking information. Sending this information over email is never a good idea. Make sure you alert IT if anyone makes these types of requests.
- Don’t post too much personal information online: Targeted phishing attacks will often use personal information they find on social media or other personal sites to make their messages more believable. There’s nothing wrong with wishing your Mom “Happy Birthday” on Facebook, but posting too much personal information on public websites can help give phishers more context to use against you. Be especially careful to avoid posting your work phone number online. Phishers may try calling and pretending to be IT staff or an admin to convince you to send them the information they requested.
- Never enable macros: Hiding malware in Microsoft Office macros is a favorite tactic of successful phishers. Many cyber criminals will layer malware into the macro code so the actual Office document looks harmless. Once you enable macros, however, the malware becomes activated and infects your computer. If you try to open a document and you’re asked to enable macros be sure to decline and notify IT.
- Give yourself a safety net by installing behavior-based endpoint security: While there are a lot of things you can do to stay safe online, no strategy, tool, or tactic is going to be 100% effective all of the time. Adding endpoint security software that is behavioral-based will help ensure that, if you do make a mistake, you’ll have protection in place that can catch and stop malware before it does any damage.
Want to learn more about how phishers target your employees and what your employees can do about it? Download Barkly’s Phishing Field Guide: How to Keep Your Users Off the Hook
About the Author
Ryan Harnedy is a member of the content team at Barkly whose passion for security dates back to his 7th grade science project on encryption techniques. When not working to make the Internet a safer place to work, play, and explore he enjoys biking, books, and BBQ. You can find Barkly on LinkedIn and Twitter.