Did You Know?
CityCare by Citynet offers worry-free network management, including software management on covered devices. Learn more!
We close this year’s Cybersecurity Awareness program with a look at the danger presented by phishing.
What is Phishing?
“The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.” – Oxford Dictionary.
Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
Successful phishing and email-generated ransomware attacks are disruptive, damaging, and can be costly. These attacks rely on human error; for them to succeed, someone needs to take the bait. Cybercriminals deploy social engineering techniques to manipulate our natural emotions to get us to act.
Cybercriminals are constantly on attack, and it can sometimes feel overwhelming to try and stay safe. It just takes one time for their tactic to have its effect.
But taking some small steps can easily lower your risk of attack. Here are three simple tips you can use to identify and avoid malicious emails:
#1 Stop Skimming and Start Studying
We all receive a great number of emails each day. It’s easy not to check them out and make quick decisions, taking unnecessary risks. Take your time and look for clues both on the surface and just below the surface of the message that can alert you to things that aren’t right.
• “From” addresses, URLs, and embedded links can appear as things they aren’t. Do not take these items at face value (even if a name, logo, or other identifiers seem familiar and safe). On your desk/laptop, hover over—or “mouse over”— these areas and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long press” or “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is presented, steer clear.
• The content or topic of a message might not be quite right or not fully relevant to you. Be on alert if the tone of an email from a colleague, friend, or relative seems inappropriate or doesn’t sound like” them. Likewise, be sure to question the receipt of an invoice or shipping notification that doesn’t make sense based on your ordering history. Thoroughly read what is written; don’t just skim past details.
• Misspellings and poor grammar can be indicators that the email did not originate from a trusted source. This is particularly true with messages that appear to be from a well-known, well-established individual or organization.
• In general, any unsolicited email—that is, any email you were not explicitly expecting to receive—should be looked at carefully. But it would help if you were particularly wary of any email that seems like it’s designed to trigger an emotional response — fear, surprise, excitement, concern—and that urges you to respond or act in some way (click a link, download a file, confirm/change a password, etc.).
#2 Think It Through
After you read an email, take a moment to review it. Give yourself the time to act thoughtfully rather than just reacting in the moment. To help get yourself out of the habit of skimming and reacting, ask yourself a few quick questions about any email that requests a response or action that could compromise sensitive data, devices, or systems.
• Was I expecting this message?– If the answer is “no,” ask more questions.
• Does this email make sense? – If the tone doesn’t seem right or the information you’re being provided doesn’t make sense, it could be a phish.
• Am I being pushed to act hastily or out of fear? – If you are, this is a major red flag.
• Does this seem too good to be true?–If you can’t believe what you’re reading, you’re likely reading a phish.
• What if this is a phishing email? – This is a great question to ask yourself because it can help you realize what could happen if you’re dealing with a phishing attack. Could you be downloading malware that would corrupt all your files? Could you be turning over a password or credit card number to a criminal? Could you be exposing your coworkers’ private information to a scammer?
#3 Verify, Verify, Verify
With phishing scams, things are never what they seem. Messages can look legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that truly be the process your IT department would follow? If reading about it doesn’t give you 100% confidence, take extra steps to verify that you are dealing with a legitimate request before you click a link, download a file, or reply with sensitive data. Here are some easy ways to confirm that the information presented in an email is legitimate:
• Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.
• Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you can confirm.
• If you’ve received a questionable message from a colleague or friend, contact them via another channel (like a phone call or text message) to ensure they sent it.
• Reach out to your IT team for advice (and to alert them that there is a potential phishing threat on your organization’s network). It takes just a minute to confirm a questionable message, whether from a coworker, internal department, financial institution, or another source. In contrast, it can take days or weeks (or even longer) to remedy the consequences of interacting with a phishing or ransomware email. And sometimes you can’t ever remedy the consequences.