Phishing is one of today’s largest cybersecurity threats. With 90% of data breaches tracing back to a phishing email, it’s crucial that members of your organization don’t fall victim.
In this article, we’ll provide a comprehensive guide on how you can stay safe from phishing attacks. We’ll break down what exactly phishing is, how it works, how it can be identified, and how you can report it.
What is Phishing?
Phishing is a cybercrime in which attackers pretend to be someone else to trick victims into providing sensitive information about themselves or their organizations. To gain victims’ trust, attackers use fake email addresses, phone numbers, social media accounts, and websites.
How Phishing Works
At its core, phishing is a psychological trick that taps into our emotions and how our brains expect to see certain words in certain contexts.
For instance, if I receive an email from email@example.com regarding an issue with my bank account, I might initially think it’s legitimate because the words bill, chase, and bank make sense together in that context. I might also experience fear about my bank account, prompting me to respond out of panic.
If I were to slow down and look at the email address more carefully, however, I would notice something crucial: it says “chaseback” instead of “chasebank.” That one misplaced letter is all I need to see to determine that the email is an illegitimate phishing scam.
How to Identify Phishing
Paying close attention to detail is the best way to recognize that an email, text, phone call, or direct message is a scam. Here’s a breakdown of how to identify phishing in each different medium.
How to Identify Email Phishing
Email phishers use fake email addresses like the one above to lure people into giving them sensitive information. Whenever you receive an email asking for personal information, consider the follow tips:
- Examine the display address for misspellings.
- Click on the display address to reveal the actual address, and examine that one as well.
- Check the email for typos or grammatical errors. Legitimate emails should not include these.
- If the information requested is sensitive to you or your organization, always check with who the sender is claiming to be to confirm that it was actually them who sent the email.
- If the email contains links, DON’T click them.
- If the email contains attachments, DON’T open them.
- Be on alert when you’re on vacation, as many phishers will target victims during this time hoping they’re more vulnerable.
How to Identify Smishing (SMS Phishing) and Vishing (Voice Phishing)
Smishers send text messages asking for information or prompting you to click links. Vishers make phone calls doing the same.
These types of phishing attacks usually emphasize urgency and ask for immediate action. For example, a text message might tell you your account is compromised and that you must reset your password immediately.
Whenever you receive a text or call like this, keep these two things in mind:
- No professional institution would ever ask for personal information via text. If you receive such a request, it’s 100% phishing.
- Voice phishing often tries to instill panic about you getting charged with fraud or other crimes. If you’re ever actually in trouble, however, it’s unlikely you’ll be alerted via a phone call. Always be patient and verify the caller before you provide any information.
How to Identify Man-In-The-Middle Phishing
Man-in-the-middle phishers intercept a conversation between two parties to trick them into thinking they’re talking with each other. They then get one party to send the “other” confidential information.
To avoid this complex form of phishing, follow these tips:
- Pay attention to context. Would your CEO really ever ask you for your SSN?
- Only visit secure websites with “HTTPS” in the subject bar.
- Don’t ever click suspicious links, as these can download malware that makes man-in-the-middle phishing possible.
How to Identify Social Media Phishing
Social media phishers create fake accounts pretending to be someone’s friend or a potential business contact. They then message victims to try to lure information out of them.
Here are some best practices for staying safe from phishers on social media:
- Adjust your privacy settings to prevent getting connected with groups or individuals without your permission.
- If you receive a message from an unknown account, don’t share information or click links.
- If a friend sends you a strange message, check with them to see if their account was compromised.
- If your account gets compromised, report it to the platform.
How to Report Phishing
Reporting phishing attacks is one of the best ways you can help make our world more secure.
Nearly all email and social media platforms have built-in features allowing you to report phishing attempts. Here’s a breakdown by platform:
How to Report Email Phishing
How to Report Social Media Phishing
How to Report SMS Phishing
Data is one of the modern world’s most valuable assets, so keeping it secure should be your first priority. Learning how to recognize and report phishing attacks is one of the best ways to stay safe.
To help remember all of this, I’ll share the simple “3 Rs rule” I hold myself and my peers to:
Read carefully, Respond mindfully & Report Phishyness.
SP6 is a niche technology firm advising organizations on how to best leverage the combination of big data analytics and automation across distinct (3) practice areas:
- Cybersecurity Operations and Cyber Risk Management (including automated security compliance and security maturity assessments)
- Fraud detection and prevention
- IT and DevOps Observability and Site Reliability
Each of these distinct domains is supported by SP6 team members with subject matter expertise in their respective disciplines. SP6 provides Professional Services as well as ongoing Co-Managed Services in each of these solution areas. We also assist organizations in their evaluation and acquisition of appropriate technology tools and solutions. SP6 operates across North America and Europe.