Phishing is a type of cyberattack that isn’t stopped by firewalls or antivirus. It sneaks into your inbox and preys on your sense of fear or famiiarity to trick you into doing something that will result in the "phisher's" monetary gain. If you can recognize a phishing attempt you can protect yourself from getting hooked.
What is phishing?
Phishing (pronounced “fishing”) is a technique that cybercriminals use to lure a person into doing an action that will result in monetary gain for the criminal. Delivered in an email or through a social media channel, the message contains information that leads you to believe that it is legitimate. It might look like it came from a familiar organization like your bank or a vendor that you routinely use. Often the message creates a sense of urgency to make you respond quickly, telling you that your account may have been compromised, or you need to download an important update. A popular phishing tactic has been to mimic corporate officers.
What happens if you take the bait?
There are different goals of phishing attacks, with the end always for monetary gain. Some schemes entice you to click on a link that takes you to a fake web page where they capture your login details for your bank, email or other online account. The web page could also download malicious software to your computer that records your keystrokes and spies on your online activities. Getting credentials for just one account can mean access to multiple accounts if the victim uses the same user name and password for multiple personal and business accounts.
In the case of the mimicked corporate officer, the criminal preys on an employee’s deference to authority to comply with an order to transfer a large sum of money to a different account. Other scammers pose as potential customers wanting to purchase your products except that they want special terms. They will pay you for the shipping and in turn ask you to pay the freight forwarder, only you never get the payment from them.
How do they know where to phish?
Some targeting has been done to put a message in front of you that could be believable. Sometimes the criminal doesn’t know anything about you but broadcasts their phish posing as an organization that is common or familiar to lots of people. Other times, the criminal has done some homework on your business, as in the purchase scam, and will know the types of products that you sell. Social media is a rich library of intelligence where cybercriminals can gather information about you from your place of employment to where you went out to eat last night. Used in a phish, this could either scare you away or lull you with their familiarity. The case of the mimicked corporate officer is called “spear phishing” and the criminal had to gather details about employees and their relationships in order to pull off their plan.
How do you avoid the hook?
If a phishing messages gets through to your inbox, do a little homework and use common sense to avoid becoming a victim. Look closely at the message and see if it really makes sense. Are there inconsistencies? Are there grammatical and spelling errors? When you hover over a link, what URL do you see? Is it really Fedex or is it Feedex? Would your bank or the IRS really contact you by email? Make a phone call to get verbal confirmation that the person in the “from” line really did send you the message. Get another set of eyes on the message and ask someone for a second opinion. If you have started emailing or talking with the criminal before you realize what’s up, stop the communication immediately. Check out the Federal Trade Commission website for guidelines on how to report a phishing attack or attempt.
The best approach to mitigating the risk of cybersecurity threats is multilayered and includes technical tactics, awareness and planning. Security is one of the seven facts of Information Technology that Thriveon addresses with our proven process. The repercussions of cybercrime threats such as phishing are serious. Learn more about how to protect your business with our E-Book Cybersecurity Guidelines for Secure Behavior Online and in the Office.