Phishing remains one of the most common types of data breaches and often leads to a ransomware attack. When ransomware hits your IT, all or substantial parts of your IT will stop functioning and your data becomes compromised. The only way to bring your systems back online is to restore from backup or to “pay the piper,” the cybercriminal, their ransom. While ransoms of the past were in the thousands, they are now typically hundreds of thousands or even millions! In a worst-case scenario, there will be operating losses due to interruption of services when restoring and rebuilding your systems. The other main results of phishing are the stealing of personal or confidential business information, as well as the hijacking of a person’s mailbox, to deliver false instructions to illicit a payment to the cybercriminal.
Any which way you cut it; the stakes are high nowadays. According to Verizon’s 2021 Data Breach Investigations Report, phishing topped the list of cyber breach actions for the last two years with no sign of letting go. You are the target, the cybercriminals know it works, and the cash rewards are high for them.
Defensive IT security has its part to play, as does management and monitoring of IT systems. However, the common denominator in 90% of breaches is us – the human sitting at the desk. So, what can you do to play your part? Here are things to look out for so you can protect yourself and your firm from a potential threat:
- Check the sender. Before clicking on an email link, make sure the sender’s name matches the address in the From field. Keep a lookout for addresses that look like a trusted person or organization, such as G0ogle or Wa1mart. Also, be wary of ‘Dear Customer’ or anything impersonal, particularly when it is a company that you already have a relationship with.
- Generic content. If the contents of the email are generic, meaning the email does not reference you by name or account, for example, this could be a red flag. Cybercriminals may send hundreds or thousands of general emails out, hoping a few recipients reply with personal information.
- Hover, do not click. Do not immediately click on any links in the email. Instead, use your mouse to hover over any links in the email to see the full destination URL. If the URLs are all the same, or you cannot see a trusted website destination, it may be a phishing email.
- Look out for typos and poor formatting. Cybercriminals are not writers and are not worried about grammar or punctuation. Obvious typos or confusing language should be major red flags.
- Never provide your password. It is never a good idea to share sensitive or personal information over the internet. A legitimate company, bank, or other institution will never ask for your password in an email.
- Delete or check with IT. When in doubt, either check with your IT partner, or simply delete the email. If you believe you know the company, just call them at a phone number you verify separately. For example, if you receive a suspicious email from your credit card company, call the number on the back of your card to verify it.
- Unsolicited information or attachments. Legitimate companies do not send attachments or information that you did not request, nor will they ask for personal or sensitive information in those emails.
- Review the signature. Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them!
- Do not make a payment based on an email request. When a payment is requested, get authorization through a second medium.
- Understand the email notifications in your email system. What email notifications are in place in your email platform to help you identify and what do they mean?
For more information on cyber risk and how to achieve a more secure work environment, check out Tabush Group’s on-demand replay of Cyber Risk in a David vs Goliath World.