If you are not already familiar with phishing, this is the practice of sending emails that appear to come from a trustworthy source which entices the recipient to give information, click on a link, or open an attachment that they would not otherwise do. Phishing has been at the top of the threat vector list for several years now and it continues to be a threat to all businesses as this type of attack accounts for more than 90% of data breaches (Source: Cisco). Phishing is also one of the most ‘visible’ types of attacks in terms of the end user’s perspective.
Who’s At Risk?
According to phishing awareness and training company KnowBe4, some industries are at more risk based on their size. However, statistics show that as many as 3 billion phishing emails are sent every day, and around 19.8% of people click on phishing email links. This means that statistically every business will have to deal with phishing attacks in one way or another. The only choice they have is whether they choose to protect their users and data or not.
Personal Steps You Can Take
Anyone can protect themselves by just questioning a little:
- If the email was unexpected because you don’t know the sender or they’re asking for unexpected information or for you to perform an action such as download a document or click a link, don’t do it.
- Does their offer sound too good to be true? It probably is. Question it.
- Attackers like to create urgency in their emails/calls in order to trigger your fear and stop you from thinking too hard about the situation. One way to fight against this is to change the tactic and give yourself time.
- Is it your utility company threatening to shut off your heat? Either go to the company website directly (not from the link in the email) or call them. If someone called you threatening to shut off your heat, hang up and call the number on the company’s website. Is the IRS going to give you giant fines? Call them or email them from the IRS site. Any real agent of these companies would not be opposed to you calling the agency back directly and any customer service representative should be able to look at your account and see if it is past due.
- If someone is asking you for payment in the form of a gift card, automatically consider that a red flag, even if it’s at work and it’s the CEO of the company! (A word to the wise: the CEO normally has a company credit card and can buy their own gift cards.)
- Don’t accept unsolicited advice from a phone call or email, and certainly don’t give them access to your computer or give them any of your personal information.
Use technology to protect yourself as well:
- Turn on Multi-Factor Authentication (MFA) anywhere you can, especially all your bank accounts. This makes it so even if an attacker manages to get your password, they then need to come up with a way to get the second code as well. Make it difficult for them.
- If MFA is turned on, don’t give anyone the code for any reason. Also, try to use authenticators instead of receiving a code by email or text.
- Use an online password management system to store your passwords. Most browsers come equipped with them and they are much safer than a word document on your desktop labeled Passwords, a notepad next to your desk, or the sticky note frame of passwords around your monitor.
- Use different passwords for different sites. If for some reason you do fall for one, it will limit the damage they can do. Password managers also help to make this easier to do.
If you do fall for a phishing campaign or any other scam, report it to either your internal IT Security team if at work or go to https://www.usa.gov/scams-and-frauds to report any personal attacks. While it may feel embarrassing, remember that these people work very hard to trick users, and not reporting them just lets them get away with it.
Company-Wide Controls to Put in Place
There are numerous vendors who can implement outgoing mail encryption and real-time defense automation like phishing detection, spam quarantining, image & link sandboxing, and other protections. However, there are three relatively simple and inexpensive controls that you can put in today that provide significant protection against many email-based attacks, based around DKIM (Domain Keys Identified Message), DMARC (Domain-based Message Authentication, Reporting & Conformance), and SPF (Sender Policy Framework). Making sure your DKIM, DMARC, and SPF records are properly configured will not stop everything, but it will authenticate your outbound emails and help to ensure the reputation of any sender domains – on the cheap.
Cybersecurity is not a one-time effort; it’s an ongoing commitment to protecting sensitive information, ensuring service continuity, and upholding the trust of clients and the public. Never blatantly trust anything that asks you to click on it without a little critical thinking. Be wary of any file attachment on emails when you are not expecting them. These are easy ways to bypass your computer’s security, so be on guard.
CaseWorthy is a family of products helping organizations to combine their program data and business operations into a single scalable solution. CaseWorthy strives to maintain the highest level of information security to protect its systems, data, and clients. To demonstrate its commitment, it maintains HITRUST and SOC 2 certifications to certify the program through independent third party evaluation. Our commitment extends beyond compliance; it’s a proactive approach that drives us to continuously invest in cutting-edge technologies, adopt best practices, and foster a culture of security awareness among our team. By collaborating with industry experts, sharing insights, and staying vigilant against emerging threats, we contribute to the collective resilience of the business community and demonstrate our dedication to a safer digital world for all.