In today’s complex, fast-moving, technology-enabled business environment, cyber attacks are frequent and increasingly difficult to detect and prevent. After only one quarter, 2021 has had more significant breaches than the entire previous year. You can hardly read the news without coming across a story about another company facing fallout from a breach, ransomware, or some other serious cyber incident.
While attackers have several vectors by which they can gain unauthorized access to their victims’ systems, one that is increasing in popularity and effectiveness is phishing. Phishing emails are a common way attackers take advantage of, or exploit, businesses in order to gain a foothold within them. Once attackers have access to an organization’s systems, the potential damage they can cause to that organization is limited only by your imagination.
Phishing is a type of social engineering that uses carefully crafted emails (or phone scams, fraudulent social media messages, etc.) from malicious actors to mimic emails from legitimate senders, with the goal of tricking recipients into divulging sensitive information. The tactic takes advantage of psychology and our natural human tendencies to respect authority, conform to social norms, and make quick decisions based on cues that have led to successful outcomes in the past, to name only a few. By manipulating victims, phishers often succeed in obtaining valuable data such as passwords, protected health information, credit card numbers, and more.
According to Verizon’s 2021 Data Breach Investigations Report, approximately one-third of data breaches involve phishing or related social engineering tactics, and 85% involve a human element. Because changing human behavior at scale is significantly more complex and difficult than implementing technical controls to protect systems, phishing continues to be a successful attack method and persists as one of the most concerning cyber threats.
Phishing emails typically tell a story to get you to take an action: clicking a link, entering personal information, opening a communication channel with the attacker. It is important to understand what you are being asked to do and whether this behavior is expected.
There are things you can do the next time you get an email to protect yourself and your organization from being compromised. Emphasizing a few simple practices to improve your cyber hygiene will put you on the path to becoming a cybersecurity superstar!
Marketers and content creators go to great lengths to create emails directed at a target audience, with incredible attention paid to content, subject line, call to action, etc. Emails that contain poor grammar or punctuation errors are likely from inexperienced attackers. Inadvertent typos do happen, even to legitimate marketers, but multiple errors in the same message often indicate you could be looking at a phishing email.
Phishing emails are designed to elicit an emotional response in order to get you to perform an action—and are part of a larger attack methodology called social engineering. There are many ways scammers abuse our emotions in order to get us to act in ways that are not in our best interest:
When you receive an email with text links or call-to-action buttons, you can hover your mouse over a link or button to get a preview of the destination URL. The preview typically appears in the bottom left of your screen and shows you where you’ll end up if you click through from the email. Be sure that the URL contains a verified domain you trust. If it doesn’t, don’t click the link!
There are several tools that can hide or obfuscate the URL that a link is directing you to. You might have seen URLs from tinyurl.com or similar sites. These services hide the real name of the website you’re being directed to. Always place your cursor on the shortened URL to see the target location before clicking on it.
While the name of the sender might seem legitimate, it can often be misleading. Make sure to validate that the sender is actually someone you have received valid email from in the past or from whom you expect to receive email. Again, check the domain of the sender’s email address to make sure it’s a person or organization you trust.
When you’re busy, sharing minor observations about strange or unexpected emails may not be top of mind or might seem like a nuisance. But if you or your organization is targeted by a phishing campaign, talking to your coworkers might be the thing that saves you and your colleagues from a bad outcome. In this case, the old adage is true: better safe than sorry. Validate the authenticity of emails by communicating with your team about any suspicious messages—BEFORE you click on any links.
When you receive an email (whether you identify it as a phishing attempt or not) from a vendor or service provider, instead of clicking links in the email, you can use your browser to navigate directly to the vendor’s website. This does two things: (1) It allows you to provide requested information directly on a trusted site; and (2) it subsequently validates the email.
It is important to include security awareness training with phishing simulations as part of any strong cyber protection program. In addition to being a best practice required by many popular security frameworks, phishing simulations accomplish a few things:
Phishing attacks are on the rise and getting more sophisticated every day. If your company is ready to add safeguards against this common form of cyber threat, Trava can help you assess your overall cyber risk and implement phishing simulations to help bolster your risk management strategy.