Cybersecurity: How to Detect and Prevent Phishing Scams
When you receive an email or phone call referencing your bank account, credit card activity, or the Internal Revenue Service, do you assume it is safe to respond? If the name or company is familiar, our instinct is often to trust the source. Unfortunately, criminals have developed techniques that take advantage of this impulse – causing severe damage to businesses and consumers each year.
How severe? According to Phishing.org, phishing damages have exceeded $1 billion. Just as staggering, there are 100+ billion spam emails sent every day and 85% of organizations have been targeted. With these scams continuing to rise, it is important to learn how to identify and protect yourself and your workplace from the damages of phishing.
What is Phishing?
Phishing is a cybercrime in which a target or targets are contacted by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.
Phishing appears in many forms with techniques that are constantly evolving. Here are some of the most common types to be aware of today:
Email Phishing – The messages are designed to appear like they are from legitimate organizations, often ones you know. They ordinarily use threats, warnings, or enticements to create a sense of urgency. The goal of the message is to have you click a link that will ask you to enter your personal information
Spear Phishing – This is a more targeted form of phishing. The emails appear to be from an entity you know because spear phishers use information they already have about you to create more personalized, real-looking emails and websites.
Whale Phishing – An attack specifically aimed at wealthy, powerful, or prominent individuals such as CEOs.
Smishing & Vishing – In these scams, the criminals use automated dialing systems to text or call you on your mobile device. You are then directed to a website or phone number to share your personal information.
Phishing scams are meant to be deceiving, so they are not always easy to detect. See example approaches and be on the lookout for these red flags:
- An email or pop-up window contains an urgent request to click a link or open an attachment. It may suggest the action will avoid a negative consequence or you will gain something of value.
- You receive an email from someone you don’t recognize or weren’t expecting.
- The message has spelling and grammar mistakes.
- The message begins with a generic greeting, like “Dear User”.
- An email is sent at an unusual time, such as 3 a.m.
- The email is a reply to something you never sent or requested.
- You hover over the hyperlink and the website destination is different than the message states.
- You receive an email sent to a large number or unusual mix of people.
- You have an uncomfortable gut feeling.
Here are 10 basic guidelines to help keep yourself safe:
- Keep informed about phishing techniques. New phishing scams are being developed all the time. Without staying on top of the new techniques, you could inadvertently fall prey to one.
- Think before you click. Clicking on links that appear in random emails and instant messages is dangerous. Always hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
- Install an anti-phishing toolbar. Most popular internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.
- Verify a site’s security. It is natural to be wary about supplying sensitive financial information online. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open it. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage.
- Check your online accounts regularly. Check in with each of your online accounts on a regular basis and get in the habit of changing passwords regularly. To prevent bank and credit card phishing scams, personally check your account activity and statements regularly to ensure no fraudulent transactions have been made without your knowledge.
- Keep your browser up to date. Security patches are often released for popular internet browsers in response to the security loopholes that phishers and other hackers discover and exploit. Download and install updates as soon as they are available.
- Use firewalls. High-quality firewalls act as buffers between you, your computer, and outside intruders. Consider using two different kinds: a desktop firewall (a software) and a network firewall (a hardware). When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
- Be wary of pop-ups. Pop-up windows often masquerade as legitimate components of a website, but are all too often phishing attempts. Many popular browsers allow you to block pop-ups and you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; it often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
- Never give out personal information – As a general rule, you should never share personal or financially sensitive information over the internet. When in doubt, visit the company’s website directly and call their listed customer service phone number. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. Never make confidential entries through the links provided in emails and never send an email with sensitive information.
- Use antivirus software – Antivirus software scans every file which comes through the internet to your computer, helping prevent damage to your system. It is important to keep this software up to date.
Remember, phishing scams don’t rely on a weak website or network security. They attempt to crack the human firewall: you. The more aware you are of cyber threats, the more prepared you will be to avoid them.