Phishing is a cybercrime that occurs when you receive an email, phone call or text message from someone posing as a legitimate person or organization to lure you into giving out sensitive information such as banking and credit card details or sensitive passwords. Once they receive your personal data, they use the information to gain access to important accounts and the result can be identity theft and/or financial loss.
How to Recognize Phishing
Scammers launch thousands of phishing attacks every day on unsuspecting individuals and businesses alike. Unfortunately, they’re often successful. Tactics may change over time, but there are some general guidelines to follow that will help you recognize a phishing email or text message.
- Phishing emails and text messages generally look as if they are from a company you know or trust, like your bank, credit card company, an online payment site such as PayPal, or an online store. Be immediately suspicious if you receive such an email saying:
- There has been suspicious activity or log-in attempts to your account
- There is a problem with your account or payment information
- You must confirm sensitive, personal information
- You need to click on a link to make a payment
- You can receive something for “free” if you click on a link
- Legitimate businesses will not ask you for sensitive information via email, as it is not considered a safe method for communicating this type of information. If you receive such an email, you should delete or ignore it.
- If an email promises you something too good to be true, it probably is. Attractive offers are meant to distract you from inconsistencies or other details in the message that raise red flags. If you receive an email from anyone offering a large sum of money, a vacation, a new car, or some other extravagant prize, verify the sender or ignore the email altogether.
- If you receive an email that demands you act quickly or suffer negative actions, don’t let your emotions take over. Take time to read and truly understand the message. A legitimate business or government agency will not send an email threatening negative consequence if you do not act quickly or comply with the message’s instructions.
Ways to Protect Your Business from Phishing
A recent report published by Verizon states that 90% of all corporate data breaches can be traced back to a phishing attempt. The average cost of a successful phishing scheme now costs a medium sized business $1.6 million, making it imperative that business owners and employees know how to recognize a scam. Phishing scammers are constantly changing their tactics which makes recognizing a scam more difficult. When a phishing scam is sophisticated, it is easy for business owners and their employees to fall for it. The strongest line of defense for a business to prevent phishing is to educate all its employees. However, if the proper tools and safeguards are in place, most phishing attacks will be thwarted before the email hits someone’s inbox.
- Use email filters: No email filter will guarantee that you never receive a malicious email; however, it does help and can be easily implemented. Not all email providers provide the same level of spam and junk filtering, so do some research to find out what is most effective.
- Utilize security software: Antivirus and firewall programs can be quite effective at protecting your business from phishing attacks. You can go one step further and use a web filter to prevent your employees from gaining access to possibly malicious websites.
- Regularly update all of your software: You can minimize your exposure to phishing scams by ensuring that your company’s software stays current with the latest security patches and updates. Schedule regular software updates like any other project and make it a point to monitor the status of all software and equipment. The Federal Trade Commission recommends keeping the following updated:
- Security software
- Operating system software
- Internet browsers and apps
- Obtain a virtual private network (VPN): VPN software can ensure security while online and is especially critical if you or your employees ever use public WiFi connections to access sensitive information. If you have employees who work remotely, require encryption, and connect them to your server over the VPN to prevent access to suspicious sites.
- Require two-step verification: Most banks and other financial related websites offer two-step verification as an extra layer of security. When signing into the account, you are sent a verification code via text or email and is required in order to login.
- Establish a corporate password policy: A corporate wide password policy regarding expiration and allowable passwords will safeguard access to important sites. A requirement for the use of numbers, letters, and special characters along with minimum password length will ensure that passwords are more difficult to hack.
Ways Your Employees Can Avoid Phishing Attacks
If you educate your employees on what to look for and how to respond, they are much less likely to become a victim of a phishing scam. Make sure they know who to contact if they are ever unsure about a suspicious email. Include training on company security measures in new employee orientations. Then, keep employees updated regarding any changes to your security policies and procedures. Employees can follow some basic guidelines that will further help to prevent phishing attacks:
- Be cautious with emails from unknown senders: Spam filters will help weed out suspicious messages, but not 100% of the time. If an email’s content looks suspicious (even if it’s from someone they usually trust), forward the message back to the person and ask for confirmation, rather than immediately responding to them. If time is critical, call the sender to confirm their message.
- Be on the lookout for spoofing emails: Email spoofing is a form of cyber-attack in which a hacker sends an email that has been manipulated to seem as if it originated from a trusted source. For instance, “[email protected]” might be changed to “[email protected].” If John is someone you talk to regularly, you may not notice that the “m” in “Smith” was changed to an “n.” Some phishers use actual company logos in their emails to make them look like the real thing.
- Never provide personal information over email: If anyone requests personal or confidential information via email, even if they are someone trusted, verify the request directly to the sender of the email. Legitimate people and organizations do not ask for sensitive information via email. If you can confirm the request via phone, text or direct email, you have a better chance of avoiding danger.
- Do not indiscriminately click on links in emails: If an email or link looks suspicious, open a new browser window, and type the link URL into the address bar rather than clicking. You can also detect dangerous links by hovering your cursor over the email sender or the link. If the link is malicious, it will probably not match the email or link description.
- Be on the alert for emails with threats or requests with urgent deadlines: When an email creates a sense of danger or urgency (such as the threat of a late fee or account closure), people are more likely to make snap decisions. If you are unsure, it is best to contact the person in question by phone or their website.
- Pay close attention to the content of emails: Phishing scammers often run schemes from other countries, and not all are sophisticated. When you receive an email that has a lot of spelling and grammar errors, or content or images that don’t look quite “right,” this should raise a red flag.
The Bottom Line on Phishing and Other Cyber Attacks A phishing incident or any other cyber scam could be devastating to your financial resources, not to mention the cost of losing your customers if their personal information has been compromised. Cyber criminals aren’t just after your business’s sensitive data, they’re also after the data you maintain for customers and their business transactions. Ultimately, the greatest cost of a successful phishing scheme to a business may not be stolen funds — it could be the damage to your business’s reputation. That’s why it’s more important than ever for businesses to establish guidelines and train employees on business security measures. At Stellar Bank, we want to help you minimize vulnerabilities, keep your operations running smoothly and maintain the trust your customers have in your business.