Phishing: simply put, it’s an attempt by a cyber criminal to disguise their email as a trustworthy source so that their victim will either download an attached malicious file, or provide them with sensitive information. It’s a big threat, costing victims millions of dollars per year in stolen and ransomed funds.
A real-world example is a recent attempt by a “phisher” to obtain sensitive payment information from one of our clients:
The “phisher” discovered the name and email address of our client’s president, then created a lookalike email address (adding an additional “r” to the address — hoping no one would notice). The “phisher” then composed an email from the fake address and addressed it to one of the company’s bookkeepers (again, taken from the website), urgently requesting payment information.
Luckily for our client, the bookkeeper had a keen eye and noticed the extra “r” in the email address before replying. She immediately forwarded the email to the president for confirmation – who confirmed he did NOT send the email, and immediately advised the entire organization to be on the lookout for similar emails.
A sharp eye kept the client out of what would likely have been a great deal of financial trouble for them, had the bookkeeper not been so observant. Both phishing emails and ransomware emails account for billions of annual business dollars lost. Ransomware files, as well, are often transmitted through phishing emails. Once an unsuspecting employee downloads and executes a ransomware file, their data and network become locked-up tight, and the victims must pay an enormous ransom to receive the release codes which re-grant them access to their system.
Just this year, the Hollywood Presbyterian Medical Center had to pay $17,000 just to unlock their files and return to work, as the ransomware was costing them over $100,000 DAILY since they could not perform any CT scans. Fortunately, there are ways to avoid giving out personal and financial information to the malicious criminals behind these emails.
Here are ten things to consider when taking proactive measures to protect you and your organizations:
Even if you recognize the name of the sender, make sure you check the actual email address to ensure that the email is actually coming from the trusted source.
Instead of clicking on a link in the email, hover your mouse over it to view the alternate text. If the alt text looks out of character or doesn’t match the link – report it immediately.
If you notice misspellings from a sender whom should take pride in their grammar, it may be a phishing email. Criminals tend to put correct grammar on the backburner.
A general or vague greeting, such as “Dear Valued client,” typically points to a phishing attempt. Be wary of emails that aren’t individually personalized to you.
An email which requests or requires you to respond with your personal information is a dead giveaway for a malicious phishing email. Report any requests for private information.
Emails with a “trade-off,” such as “Send us your account information for your inheritance,” or “Claim your $500 Amazon gift card,” are another prime example of phishing emails.
Does the email have a full signature block? No? Report it! Most legitimate companies include a full name at the bottom of their emails.
Pay attention to the attachments, if any. Long names, or an exciting title to a word or excel document, should be a mental flag for a phishing email.
Even if something is slightly off-the-norm, beware. If you see something that is out of place, it’s a good idea to report the email.
If you notice any of the things above, whether it be one or two or all of them together, it’s better to be safe than sorry, and report the email to your security operations center. If it turns out to be a legitimate email, no problem – at least you put your company’s security first.
It’s inevitable that you will experience phishing emails at least once in your career. Intivix can contribute to reducing the possibility of falling victim to phishing attacks by making sure you have a multi-layered security defense system in place, and properly educating your staff on what to look for when opening emails. We’ll also make sure your hardware is up-to-date with current patches, in order to reduce your company’s overall risk of infection.
Our new security awareness end user training system, with formalized video training, quizzes, reporting, policy documentation, and risk assessment measures will ensure your users have the most current security knowledge and reduce the risk of getting ensnared by a phishing attempt.
With help from Intivix, your business can greatly reduce your risk of having your information stolen, while enhancing the security of your organization. Give us a call today.