Phishing attacks are on the rise and ensnaring ever more victims. In fact, 76% of businesses have reported being a victim of a phishing attack in the last year and the number of such instances has grown by 65% in that year.
The statistics for phishing attacks are so significant that protecting yourself against them is one of the best ways to secure yourself in cyberspace. Phishing attacks account for an entire 90% of all data breaches, a fact that doesn’t diminish the seriousness of other threats but does make it crucial that you know how to spot and react against a phishing attack.
The price of falling victim to a phishing attack is also high, averaging $3.86m. Knowing these facts, how do you go about defending yourself against this threat? The first step is understanding how a phishing attack works.
But what’s in it for the attackers? After all, most people are at least somewhat intuitive and mindful – it takes a fair amount of work to fool someone into interacting with a harmful email.
Attackers can collect valuable data on individuals or entire organizations, enjoy access to systems and networks for future assaults like ransomware attacks, or directly harm computer infrastructure if that is their goal. In any case, the organization bears the cost.
Do’s and don’ts to help prevent phishing attacks. Understanding the process an attacker goes through in targeting your organization can help you understand best how to combat them. Luckily, there are some steps you can take and certain habits you can get into that will drastically decrease the likelihood of falling victim to this kind of attack. For example:
Do:
• Notice spelling and grammar- some attackers just aren’t very careful, and others come from different countries. Are there silly errors in an email? Are they reasonable to expect from the alleged sender? You can also see this in formatting, like odd spacing.
• Check links- don’t just click on a link. No matter what it looks like. Hover over each to make sure there is no embedded URL. That would lead you somewhere you don’t want to go.
• Pick up the phone - rather than automatically trusting what's in an email, think of an email as initial contact, and then pick up the phone to verify and confirm its content. If the email is from a stranger, don't trust whatever contact info is included in the email. Try to find a way to reach the person somewhere else online.
• Alert the guards - your IT staff are there for a reason. If you suspect you may be on the receiving end of a phishing email, let them know and ask them how to proceed. If they are informed in time, they may be able to block malicious links and mitigate the damage.
• Use common sense - especially if an email is from someone you know and have worked with for a while, it’s easy to assume it will be ordinary. It’s trickier with strangers, but even then, trust your suspicions. We’re inevitably used to a certain norm and etiquette with emails. Take note if something steps outside these boundaries.
Don't:
• Blindly trust the sender - phishing emails can impersonate anyone, like your boss or even your mother.
• Reply too quickly - it's easy to get caught up in being quick and efficient at work, leading you to send off email replies in an instant. But just responding could give attackers exactly what they're looking for, since some just want to identify a valid email within an organization.
• Open attachments - everything from Word documents to simple PDFs could be dangerous, so don't open anything you weren't expecting to receive.
• Give out personal information - any request to do so via email should be considered suspicious and reported.
• Be shy - these attacks can be hard to spot, so don't be embarrassed if you fall for it. The worst thing you can do is not report it or try to fix things yourself assuming that you'll be in trouble. Stuff happens. And when it comes to security, being shy is a luxury no one can afford.
A lot of work goes into making phishing attacks successful and it can be quite difficult to spot a sophisticated, well-informed attack. A really precise attacker could even send you emails that seem to be from family members and co-workers. If you want to save your organization time, money and heartbreak, it’s always best to establish protocols that have you constantly, automatically and intuitively on guard.
- Shay Mozes is the head of the PT Department at GRSee Consulting, which helps companies to have a better way to achieve PCI Compliance.