Smart companies know the best offense against security threats is a strong defense. And what type of defense is the most successful, you ask? Educating Employees! A stunning 91% of data breaches start with employees, making it essential for organizations to educate all employees on the threats associated with today's online world. Phishing attacks are the most common of these threats, and the most easy to fall for. If you're not paying attention, anyone could easily be the next victim of a cyberattack.
It Could Happen to You...It Happened to Us (But We Caught it!)
Just last week, one of our employees received an email claiming to come from our COO. Playing on the timeliness of tax season, the sender was asking the employee for copies of all employees' W-2 forms to ensure they were all filled out accurately.
Lucky for us, our employee was savvy to phishing scams and was able to recognize this as an attack. Instead of sharing the entire company's PII, she instead shared the message with us as a learning tool to remind us of the importance of identifying phishing attacks.
Here are a few things that seemed "phishy" to our employee:
- The "reply-to" was not a valid address.
- The language of the email did not reflect the supposed sender's communication style.
- There were many grammatical errors.
- The signature line was not the sender's usual signature.
- The request in the body of the email was not appropriate for their work relationship.
Here are Some Tips for Spotting Common Phishing Attacks
Sophisticated phishing attacks can be difficult to spot. However, here are some common ways to spot whether an email is real or not:
- The "From" name doesn't match the sending email address: John Doe <firstname.lastname@example.org>
- PORTIONS OF THE EMAIL ARE IN ALL CAPITAL LETTERS
- There are threats, dire warnings, and time constraints: "Your account will be blocked if you do not click the link below in the next 48 hours."
- The email is signed with a generic closing, such as "Customer Service"
- The sender's email address does not match the domain or organization the email purports to be from: TD Bank <email@example.com>
- There are immature requests from large legitimate organizations - such organizations would not ask you to help rebuild or confirm their database of customers
- You receive an email from a business or organization that you have no relationship with
If you're not careful, responding to a phishing email can provide cybercriminals with sensitive information. In our case, it could have been the entire organization's personal information putting 100's of people at risk. For individuals, this could give cybercriminals insight to your bank accounts, social media profiles, credit cards, and other assets.
Bottom Line: Always Trust your Instincts.
If you think something isn't right, do not respond to or perform any action being requested in that email. If you'd like to learn more about staying safe online, download our Essential Guide to Online Security for helpful tips and ways to stay secure on social media, mobile phones, laptops, and more.