Phishing has been around for a long time. The thing is, attackers continue to use it because it’s still very effective. If anything, the number of phishing attempts is increasing, costing enterprise organisations millions of dollars to deal with phishing attacks.
As part of a comprehensive email security strategy, a crucial method for minimising email risk is to educate users and encourage constant vigilance. Message-level encryption is important, as is protection against misaddressed emails, but email security is about people making good decisions and tackling human error by helping them recognise a phished email when it lands in their inbox.
So what is phishing, and why is it a major source of data loss?
What is phishing?
By impersonating trusted companies like banks or retailers in email messages, attackers hope to get the target to hand over sensitive information like bank details and passwords. They will usually make it sound crucially important that you take action, for example by saying that your account may have been compromised.
Clicking on a link in one of these spoofed emails will take you to a website that looks just like the bank / retailer / social media website that you expect to see. When you log in, however, you will get an error message and the attacker will get your login credentials. They will then be able to gain control of your online banking or social network accounts.
While spam filters do catch many phishing attacks, it’s important to know what to look for when one invariably slips through the net and lands in your inbox.
How to protect against phishing
Five tips for preventing phishing in your organisation:
- Learn what to look out for
While phishing emails are designed to look as real as possible, there are things you can look out for that point to an email being spoofed. Intuition is helpful here and your gut feelings about an email’s authenticity are often correct. The following in an email from a purportedly reliable sender is usually a hint that the email is a potential phishing attack:
- Incorrect spelling and grammar
- Name in the email address not matching the user details in the email body
- An email received from an unknown sender or email address
- An unexpected change to the look / layout of an email
If in doubt, don’t risk it!
- Beware of links in emails
If you see a link in a suspicious email message don’t click on it. Instead, hover your mouse over the link to see if the address matches the link displayed or if possible, open the site in another window instead of clicking the link in your email. You should never go to the website of your bank by clicking on a link in an email.
- Only communicate personal information through a secure website
Always check that any pages or links are HTTPS and that the green shield is visible within your browser to verify authenticity (a genuine certificate).
- Ensure your computer’s security is up to date
Make sure you’re always using software such as anti-virus and malware protection that is up to date, with the latest definitions. Because attackers are constantly inventive, new definitions are added all the time, so you need to ensure you run updates frequently.
- Beware of pop ups – never enter personal information in a pop up screen
A pop-up on a website can pretend to be a genuine feature of a website but can often be a phishing attempt. One solution is to install a pop-up blockers on your browser in order to allow them on an ad hoc basis. If you do see a pop-up on a website asking for login information or other personal data, click on the cross in the top corner of the window to close it: do not click any of the links in the pop-up, even if one says ‘cancel.’
The bottom line: think before you click
In busy working environments, when you’re sending and receiving so many emails each day, it can be difficult to remain vigilant when it comes to email authenticity. The vital thing to remember is to think before you click on any link in an email. Does it look genuine? Is something amiss? Does the email address look correct?
Educating people about what to look out for when it comes to phished emails is just one more aspect of a comprehensive email security strategy, though. At Egress, we’re focused on user-centric tools for data privacy and risk management. It’s about recognising that users can be an organisation’s greatest asset and greatest weakness when it comes to data security, and then providing them with a range of tools for preventing the loss of important information.