Don’t Get Reeled In: How to Prevent Phishing Scams
Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.
Phishing Scams on the Rise
According to Wombat Security’s 2022 State of the Phish survey, 83% of survey respondents said they experienced a successful email-based phishing attack in 2021, up 57% from 2020, with 11% noting 10 or more of these attacks were successful.
With the threat of phishing scams on the rise and showing no sign of stopping, there has never been a better time to review your organization’s policies and remind yourself how you can stop an attack.
Types of Phishing Scams
Deceptive phishing: The most common phishing scam and the type most people think of when they heard the word “phishing.” Deceptive phishing strikes victims by taking over a recognized email address (or impersonating a recognized one) to get access to information. These emails typically request that you:
- Make a payment
- Re-enter information, such as logins or passwords
- Request that you change your password
- Verify account information
Spear phishing: In recent years, spear phishing attacks have been on the rise. A more sophisticated form of deceptive phishing, spear phishing is a personalized attack that tricks you into thinking you have a relationship with the sender by utilizing full names, position information, addresses, phone numbers or other semi-private information. Once the URL in a spear phishing email is clicked, hackers have access to your account.
Whaling: As the name implies, whaling is a form of phishing that targets the big game. With whaling, also known as CEO Fraud, hackers target and attempt to gain access to executive or director information to access their email accounts. Unfortunately, this kind of attack can be the most successful form of a phishing scam, as executives often don’t undergo the same security training as lower employees.
Phishing calls: Web-based attacks are the most common form of phishing scams, but phone-based phishing scams have increased over the last few years. In these scams, phishers call and attempt to present themselves as a legitimate organization, such as your bank or credit card company to gain information. Typically, the calls begin by volunteering easily-researched information like your name or address to build trust. From there, phishers will drill down further by asking for personal information such as passwords or bank account numbers for “verification purposes.”
Know That Protection is Everyone’s Responsibility
While phishing prevention is often laid at the feet of the IT department, protecting the organization from phishing attacks is the responsibility of every member at every level – from interns to IT to executives. And while you might think your organization has to focus on training for older employees, a recent study found that millennials and Gen Z (23%) have fallen victim to phishing scams than Gen X (19%) or Baby Boomers (9%).
Before you shrug off responsibly, know that 55% of business owners to take the 2022 State of Phish survey, report taking disciplinary action against employees who fall for real or simulated phishing attacks.
Be Wary of Suspicious Emails
Most organizations employ copywriters, editors and/or digital marketers to carefully craft marketing emails, so any email from a brand or company that is riddled with typos and errors should raise red flags. Cybercriminals often make mistakes in emails – sometimes intentionally to slip past your email’s spam filters. Another telltale sign of a suspicious email is one featuring an impersonal greeting, such as “Dear Customer.”
If you don’t know the entity sending the email, don’t interact with the message by clicking links, downloading files or opening attachments. Doing so could open your computer, and your organization’s servers, up to a data breach.
Finally, look closely at the address. Phishing hackers often create addresses similar to ones you might be familiar with to mimic someone else – and if you don’t take a closer look at the sender, you might fall for it. For instance, the CEO of an organization might have the email [email protected], but phishers will employ an address named [email protected] or [email protected] to mimic the CEO in an effort to steal data or money.
Stay Updated on Phishing Attacks
Like any kind of scammer, phishers are playing a massive game of cat-and-mouse. As soon as a new technique is deployed or successfully utilized, word spreads and the public is educated – forcing hackers to develop new tricks constantly. If you’re not staying updated on new techniques and developments or undergoing security awareness training regularly, you’re easy prey for a phishing scam.
Undergo Penetration Tests
Penetration tests are a great way to test your information security posture by simulating a phishing attack. Designed to test the information security of the technologies and systems in place at an organization, penetration testing identifies specific vulnerabilities before the bad guys do, mitigating the risk of a data breach or phishing scam.
How A-LIGN Can Help
At A-LIGN, our penetration testers emulate the techniques of hackers by developing scenarios and strategies to breach your organization’s information systems, attacking your networks and applications. A-LIGN’s penetration test encompasses:
- API Testing
- Network Layer Testing
- Mobile Application Testing
- Web Application Testing
- Wireless Network Testing
- Facility Penetration Testing