91% of all attacks start with a phishing email, while only 3% of the people can identify it. If that doesn’t scare you into making your company more secure against attackers, nothing probably will. The problem is, with so many things to focus on, businesses usually have a hard time focusing on improving cybersecurity in their company, and they rest their concerns by investing in technology to protect them. While this certainly helps, it doesn’t help a lot when the target is not technology, but your people.
A Little about Phishing
Phishing scams are crafted in order to disguise as an email from an authentic source, which requests information or redirects the user to a webpage that downloads malware. With your workers busy in their daily work processes, and with no prior training on identifying phishing scams, they may never think twice about checking the authenticity of emails before opening attachments or sending sensitive information like passwords via email.
If It’s That Difficult,
How Can Someone Avoid Getting Phished?
Luckily, there is an answer. Once you have trained your employees to never put their guard down, they can quickly identify emails that seem suspicious and report them. Here are a few steps to know and teach your employees that can help:
1. Understand the Motive
The first thing to remember is that scammers have one motive: to infiltrate. Once they get access, either via malware or by using the shared sensitive information, they can move on to stealing resources. But the first step is always to try and get access. And quick.
So, if an email asks to provide you information or security details for updating your profile, receiving an online gift voucher, or replying to a law enforcement agency (especially to an email claiming to be a law enforcement agency), take a step back.
Check the ‘more details’ or ‘full headers’ part in the ‘From:’ section in an email and see if the email address is legitimate. If it’s not, or if the email has been sent to many other people, REPORT IT to the company’s security team. They can use the information to block similar phishing emails. Speaking realistically, for each email that was reported, many more would actually get through. Reporting phishing emails will facilitate the infosecurity team in establishing pre-emptive measures and avoiding such attacks in the future.
2. Check the Authenticity of Links
The other case where the scammer does not ask for information but the email has a button or a link that it urges you to click, then again, take a step back.
One great step to check the link/button’s authenticity is to hover your mouse over the URL or button (DON’T CLICK). There will be a small box at the bottom of the page or beside your mouse pointer that shows the actual link details. If the URL does not match the one on the email, it’s probably a scam.
3. Trust Nobody Online
Even if the email seems to be from someone you know personally, do NOT send over your private information. Posing as another person on an email is easy enough, so don’t fall into the scam. Always check, and recheck, for the authenticity of the sender, and NEVER send your personal details online. Remember, scammers use the choice emails that you’re most likely to respond to. Be one step ahead by mistrusting the emails sent to you by seemingly legitimate sources.
Graystone International offers non-boring, highly interactive cybersecurity training programs and roadshows for businesses. Please contact us if you want to make it crystal clear that all your employees are able to identify phishing scams like a pro, and are able to create a more secure company culture.