You open your inbox and find what looks like a normal message. Maybe it’s a colleague who wants to share a document. Maybe it’s your IT administrator asking you to update your password. The email contains a link to a site that asks for your company login credentials. It looks a little different than your usual login site, but you start to type your username anyway…
Your alarm bells go off as you realize: you almost got phished.
When it comes to phishing and other email scams, our instincts don’t always kick in at the right time. Cybercriminals are getting more sophisticated, making once-obvious phishing attempts tougher to spot. The U.S. Federal Bureau of Investigation’s most recent Internet Crime Report showed that there were 26,379 victims of phishing (or vishing, smishing, and pharming) in 2018 alone. Attackers used sophisticated techniques to fool thousands of people into handing over personal details, financial information, or login credentials, resulting in $48,241,748 in losses for the year.
Here’s how to protect yourself and your organization from the next generation of phishing:
1. Beware of the “smart phish”
Gone are the days of obvious scams with misspelled subject lines and promises of getting rich (although you’ll still get those, too). Next-generation phishers are taking the time to research their targets—monitoring company news, identifying employees, and gathering information that will help them craft convincing, custom phishing campaigns. Criminals may pose as a company administrator or business partner and make requests like the ones you receive every day (think: updating your password or issuing a security alert). When in doubt, contact your company or business partner’s support line to find out if the email is legitimate.
2. Don’t rely on your email’s spam filter
No matter how smart your email service is, it’s likely that phishers are one step ahead. They’re figuring out how to bypass content filters by posing as reputable senders, sending multiple emails, and even swapping out alphanumeric characters (think: the number one instead of the letter “l”). In the new age of phishing, it’s important to augment smart technology with smart email habits.
3. Hover over all links—suspicious or not
You probably know that clicking on an unrecognized link is a bad idea. But next-generation phishing emails often include links that look perfectly legitimate, making them harder to spot. Hover over all links before clicking, even if the rest of the email looks trustworthy. If the URL address is different than what’s displayed in the email, or if the URL structure looks different than what you would expect, don’t click it. Often phishers will include a legitimate business name within a malicious link, so be sure to look at the entire link (think: www.abacusnext.com vs. gonephishing.fakesite/abacusnext).
4. Don’t give into fear
Phishing attempts use fear tactics to trick you into clicking links, downloading malicious attachments, or handing over personal information. They’ll use subject lines like “Problem with your account,” or “Update your password immediately” to scare you into taking quick action. Don’t fall for it. Most banks and large institutions have policies against collecting personal information via email. Again, call your bank, partner, or company tech support line when in doubt.
5. Educate yourself and your staff
Phishing scams are constantly evolving, so it’s important to keep yourself and your staff up to date on the latest threats. Schedule regular security trainings and educational emails reminding employees how to spot phishing attempts. You can even plan a faux phishing campaign to educate employees on email security best practices.
As IRS Commissioner Chuck Rettig said in a recent press statement, “You are only as safe as your least educated employee.”
To recap: don’t rely on instinct alone to protect you and your organization from phishing attacks. With a little vigilance and education, you can avoid taking the bait.