Oh no, you’re thinking. Not ANOTHER warning about phishing.
Yep, another article on phishing. We as a security team talk about it a lot and while you may be getting tired of hearing not to click that link, one of the easiest and most effective ways for a hacker to gain access to a company’s resources is through social engineering.
One of their favorite attacks is, you guessed it, phishing. So it’s very important we keep security in mind at all times. You hear not to click the link or enter personal information, credentials or credit card information, but let’s talk a little more about what might happen if you DO inadvertently give up information or click that suspicious link.
According to Verizon’s 2018 Data Breach Investigations Report, 98% of social incidents are from phishing attempts with email as the most common vector. Out of 1,192 incidents involving phishing, 236 had confirmed data breaches. You’re human and the attackers are crafty. Let’s say you clicked a link and entered your credentials because the website looked SO much like the Office 365 login page. Or you clicked a link and in the background a piece of malware installed on your computer. It includes a keylogger with remote access so it captures everything you type, sends it to the attacker and allows them access into your machine. What happens now? The attacker could take your credentials and get into your account or access your computer directly with that malware. They start sending phishing emails out to other people using your identity and keep the sent mail folder free of any evidence. You don’t know any of this is going on (because bad guys are sneaky) until you start getting emails and phone calls from vendors, contacts at other companies and co-workers asking if that email with the invoice (or any number of scams) is legitimate. At this point you might feel panicked, violated, and ashamed. People make mistakes. Keep calm and report it to your tech team.
They will kick off an investigation and assist you in next steps. Along with compromising your email, if the attackers installed malware, they may have also been able to pivot to other devices on the network. If they were lucky enough to get an administrator account’s credentials they can do some major damage that could go beyond a compromised email account to a full-on data breach. This is why it’s so important to report phishing and interaction with those emails ASAP. You can’t stop 100% of phishing emails from getting into your inbox, but you can prevent 100% of phishing attacks from your inbox by being suspicious and looking for clues.
Let’s quickly review signs that an email is phishy:
- Some of the most successful attacks are disguised as something you might be expecting. Make sure to really check out the emails carefully. Did HR really send that attached file? Did you actually make a purchase with Amazon or use DHL to ship a package?
- Check the FROM address. Not the name, but the actual email address. It might say it’s from Involta CEO Bruce Lehrman, but unless it’s from a true Involta.com address, it’s not legitimate. Many of these email addresses are random usernames with hijacked or disposable domains. email@example.com is not going to be from your CEO. Be sure to double check spelling as well. invollta.com might look correct at a glance.
- Bad grammar and spelling. Crooks are getting better about this but still in many cases you can tell something doesn’t sound right when they use awkward grammar and odd spellings.
- Urgent Action is Required or Your Account Will Be Closed! We have webcam video of you watching adult videos, give us money in 24 hours or we’ll release the video to the world. Don’t let the sense of urgency cloud your good judgment. Take a minute and really look at what’s being threatened. Verify accounts by logging into their websites directly (not through email links).
- Asking for personal information. Don’t, just don’t. No respectable organization is going to ask for your account number or passwords via an unsolicited email.
- Government agency spoofing. These appear to be sent from the IRS, FBI or any other legitimate government organization that might scare you. In the United States, most government agencies don’t normally use email as an initial point of contact.
- Trust your gut. Doesn’t look right? Doesn’t feel right? Have it checked out, don’t risk it. The bad guys are going to do what they do, there’s no way to stop them from trying. But we can stop them from succeeding. If in doubt, have your security team check it out.