Business Topics

Gone Phishing: Steps to Protect Against Attacks

By on
Nearly everyone has been targeted by a phishing email at some point in time. Defined as the act of using messages, links and appeals to trick or defraud a computer user by posing as a legitimate company, phishing most commonly occurs when a cybercriminal pretends to be someone or something they’re not to try to steal something valuable.

The most common form of phishing occurs when hackers “spoof” an email address, creating a fake account with the domain yourcornpany.com – which, at first glance, appears to be just like yourcompany.com. Sometimes, phishers will include links to fake websites, legitimate-looking Word documents, PDF invoices or delivery notifications to try to deliver a ransomware infection. Or, through the use of specific requests, a phishing email will try to convince you to share private account details or even initiate a wire transfer.

“Spearphishing” is even more dangerous. This advanced tactic typically finds cybercriminals trying to spoof an email address that appears to originate from a real person at your own company. Through social engineering and combing the Internet for publicly available details, hackers can figure out what you do for your job – and where you fall in your company’s chain of command – to dangle specific information that can make a request seem even more real.

Other examples of phishing attempts that are commonly seen include:
  • A request from a software or hardware company’s customer service or support account asking you to log in to a system or website
  • A request supposedly arriving from your supervisor asking you to check the accuracy of an attached document
  • A shipping notification from a commonly used e-commerce site
  • A security alert from an email provider asking you to verify your account.
Consider these statistics that demonstrate the overwhelming growth of these types of phishing attempts:
  • Approximately 330 billion emails are sent and received every day (source: Google)
  • More than 1 percent of those messages – 3.4 billion – are phishing emails (source: EarthWeb)
  • Between 2016 and 2021, more than $43 billion was stolen through email compromise (source: FBI)
  • Nearly 20 percent of all email users say they’ve fallen for a phishing attempt at one point (source: Google)
  • Millennials and members of Generation Z are more likely to fall for phishing emails (source: AtlasVPN)
  • Phishing causes close to 90 percent of all data breaches (source: SecureList)
  • Hackers set up nearly 1.4 million fake web pages each month (source: ZDNet)

So how can you beat these odds and protect your information, your digital identity and your company?  CMIT Solutions has compiled the following recommendations:

Look for misspellings in email addresses, subject lines and body copy. Poor grammar and unfamiliar headers are telltale signs of a phishing attempt. Always click to review the details of a sender’s name, email account and domain name from which the message is sent. Also, proceed with caution if you see unusual phrasings or misspellings in the subject line, uncommon greetings (“Hello Madam” or “Good Day Sir”) in the body copy, or anything that produces an unnecessary sense of urgency. If an email from a co-worker asks you to do something right away, call, text or video chat with that person in real life to confirm the request.

Use multi-factor authentication to verify that a request to change or confirm account information is real. If you receive a link that purports to come from Gmail or Amazon, navigate directly to those apps and log in using MFA – which entails entering your password and then a unique code typically delivered via text message – to check to see whether the request is real.

Manually retype the address of any website you want to visit – don’t just click the link! If anything in an email gives you pause, the first step is to NOT CLICK ANY LINK CONTAINED WITHIN IT. It’s easy for hackers to shield the destination of a link that may look normal. For instance, it may say “amazon.com,” but it will really point to “amason.com.” Or, if you hover over the link with your mouse and the yellow box that pops up includes long strings of random characters, proceed with caution. The safest method of visiting any website is to manually type the URL you want to visit so you are in full control of where your browser takes you.

Do not share private information in the body of an email. Even if you know the sender with whom you’re communicating, it’s always safer to avoid including any personally identifiable information in an email. That goes for login credentials, passwords, birthdays, phone numbers, account numbers, and even physical addresses. Be wary of any message that asks for such data – especially if it makes repeated requests.

Do not open any attachment that you aren’t expecting. Illicit attachments sent with legitimate-looking emails is one of the most common ways that hackers try to infect computers and steal data. Whether it’s a ZIP file, a PDF, an MP3, a Word document or an Excel spreadsheet, DO NOT CLICK ANYTHING you aren’t specifically expecting. Clicking on one attachment just one time can unleash dangerous computer viruses or install debilitating ransomware that can lock up your computer and your network within seconds.

Phishing continues to be a serious problem because humans aren’t perfect – and because the average worker writes, sends and responds to more than 100 emails per day. If we see a message that looks like it’s from a trusted colleague, it’s easy to let our guard down. If that email asks for help, we’ll often respond quickly. And if we know what a phishing attempt is, we’ll never fall for one, right?

You can make a difference by learning more about the obvious signs of phishing emails, while stronger standards for email security can make a big difference for your company. Learning to take an extra second and confirm an email’s origin and intent can save you from serious cyber danger (not to mention losing a lot of money).

At the end of the day, if you have any doubts, mark any suspicious email as junk or spam and contact a trusted IT provider immediately. If you have questions about the nature of phishing emails, the rise in online scams, or the specific threats that your company faces, contact CMIT Solutions. We protect thousands of clients across North America from hundreds of cyber threats every day. 

[Chris Grumboski is the president of CMIT Solutions of Oak Park, Hinsdale and Oak Brook, Illinois, which provides IT  services for business. He can be reached at 708-919-5132 or by visiting https://cmitsolutions.com/oakpark.]