Cybersecurity: Phishing Attacks
While phishing is nothing new, it remains one of the leading vectors for cyber-attacks. A phishing attack is when a bad actor poses as a trustworthy source to incite the victim to click on a malicious link or provide personal information. The bad actor will then use the personal information to access the victim’s accounts. Phishing can occur via email, voice communication (vishing), and text messages (smishing).
Defense against Phishing
The best defense against phishing attacks is a healthy dose of skepticism by the potential victim. If anything at all appears unusual about an email, you should forward the message to your IT department and delete it. Any message including a hyperlink should be scrutinized particularly closely. It is also a good idea to verify a message’s authenticity by communicating with the sender via another method of communication. For example, if you receive a suspicious message from one of your customers, we recommend that you call the customer to confirm they sent the message.
Signs of Phishing
Phishing is dependent on the bad actor appearing legitimate, but there are telltale signs of a potential phishing attempt. Generic greetings such as “Sir/Ma’am” are often used in phishing attacks. Additionally, phishing emails will try to create a sense of urgency, with the goal of having the victim act rather than think critically.
Per the Cybersecurity & Infrastructure Security Agency (CISA), here are examples of actual language used in phishing attacks:
- “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below, and confirm your identity.”
- “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
How to Combat Phishing Attempts
While some people will always fall for phishing scams, there are tools businesses can use to reduce their risk. Organizations should conduct phishing training, including simulated phishing emails, at least once a year. Education is another great tool. A business’s IT department should educate the rest of their organization how to identify and deal with phishing emails and provide remedial training for employees that fall for the phishing training. Additionally, phishing training and simulated phishing emails are key controls cyber insurance carriers like to see when deciding an applicant’s insurability.
Organizations that develop a plan to mitigate phishing risk will reduce the chance of a cyber-attack. Human error will always be a leading cause of cyber incidents…but phishing training and simulated phishing emails are effective tools businesses can use educate their employees. Reach out to your M3 account executive to discuss your organization’s phishing plan.