Cyber tip: email phishing
Protect against email phishing attacks
Email phishing is a common method of cyberattack that uses email and/or websites to solicit personal information from an individual or company by posing as a trustworthy source. These fraudulent emails are designed to encourage the recipient to click on an attachment or link, or take some action in order to trick the user into providing confidential information, such as account numbers or passwords, or install malicious software on their computer system. Additionally, the methods may attempt to convince the user to send funds to the cybercriminals.
According to the 2017 Data Breach Investigations Report by Verizon, “1 in 14 users were tricked into following a link or opening an attachment – and a quarter of those went on to be duped more than once.” Educating your employees on the importance of vigilance may reduce the risk of falling victim to these types of scams that put sensitive personal and corporate information at risk.
Today’s cybercriminals have evolved to target people as much as networks. By educating employees on email phishing, companies can reduce the risk of falling victim to these types of attacks that put sensitive personal and corporate information at risk.
Phishing emails often have unusual URLs, poor grammar and spelling, or arrive from an unfamiliar email address but with the illusion of coming from a legitimate source, like a bank, retailer, or service provider and might include an urgent warning. For example, it could say, “We suspended your account due to unusual activity! Click here to verify your personal information.” Sometimes the messages can be less threatening, claiming that the recipient has won a prize or notifying them of a package delivery.
Here are some steps you and your employees can take to safeguard against phishing attacks:
- Avoid opening links or attachments on any email unless you are expecting them.
- Hover your mouse over a URL without clicking it to display the link’s actual path at the bottom of your browser window which will help you determine if an email is a phishing attempt.
- If you are still suspicious, contact the company using another communication channel, such as a phone call to a known contact or help desk.
- Always remember that your financial institution will never contact you to request your personal information, such as account numbers or passwords.
The websites listed below can give you further information:
- The U.S. Department of Homeland Security’s Computer Emergency Readiness team offers a site with resources for small businesses, available at us-cert.gov/home-and-business
- CERT, part of the Software Engineering Institute (SEI), a federally funded research and development center operated by Carnegie Mellon University, provides a variety of tools and educational resources for managers, educators, developers, etc. Visit cert.org/information-for/ and select the appropriate category to view materials that are specifically developed for your area.
- SANS.org, a trusted leader in information security training, provides a variety of up-to-date material, including data on new and emerging threats, reports, presentations, and white papers, as well as links to other trusted sites offering additional information and services. To view these tools, go to sans.org/security-resources/
- Stop – Think – Connect: Cyber Security for Kids is a program developed by the Department of Homeland Security to educate Americans about the shared responsibility around cyber security. Visit www.dhs.gov