It seems rather fitting that October is National Cybersecurity Awareness Month. Because let’s be honest, cybersecurity threats are more terrifying than Halloween monsters. Especially for small businesses.
This year’s theme emphasizes personal accountability and proactive behavior.
Awareness is key because many people think their online habits are good enough to protect their data.
But here’s the truth. No one is immune to cybercrime.
As many publicized data breaches have shown, there is a need for cybersecurity education. The good news is that the following cybersecurity best practices can improve your digital security.
So, in honor of National Cybersecurity Awareness Month, I’m going to share our top security “how-to’s”. The goal is to help you better protect yourself and your data.
Today, I’m going to tell you how to identify a phishing email. And what to do if that phishing email made it into your inbox.
What is a phishing attack?
Phishing attacks are fraudulent communications that appear to come from a reputable source. Typically, phishing attacks come in the form of an email. And for today’s purposes, we are going to focus on phishing emails.
The goal of a phishing attack is to steal sensitive data, like credit card and login information. Or, to install malware on the victim’s machine.
How does phishing work?
Phishing starts with a deceitful email, where the attacker tries to lure a victim. A phishing message looks like it comes from a trusted sender, like a bank.
If the email fools the victim, the hacker will often capture the victim’s confidential information through a scam website.
In other cases, the victim will open up a malicious email attachment, which then downloads malware onto the target’s computer.
Types of phishing attacks.
The most common type of phishing attack. Deceptive phishing is where an attacker attempts to obtain confidential information from the victims. Once the personal information is obtained, the attacker then uses it to steal money or launch other attacks.
Spear phishing targets specific individuals instead of casting a wider net. Attackers often research their victims on social media. In turn, the attacker customizes their communications to appear more authentic.
Whaling is when an attacker goes after a high-profile target, like a CEO. These attackers often spend considerable time profiling their target to steal login credentials. Whaling can be extremely dangerous for businesses because executives often have access to greater company data.
How to identify a phishing email:
The best defense against phishing attacks is end-user education and a comprehensive spam filter. But unfortunately, some phishing emails will make it to the inbox even with top-tier protection.
Once it’s in your inbox, it can blend easily amongst your other emails. Because of this, I recommend you always have your detective hat on when opening emails.
Like a good detective, you must be hyper-aware. Don’t take things at face value, instead, look over the email with a fine-tooth comb before replying or clicking a link.
Here is what to look for:
Sender’s Email Address
The first question you should be asking yourself is: does the email address look fishy?
For example, let’s say you get an email saying it is from Your Bank, but the email address is strange. The address is YourBank@hotmail.com. That should be a red flag. The sender’s email, especially from a bank, should not be using a public account, like Hotmail, Gmail, Yahoo, etc.
Hackers use fake sites to steal your information. Before you click on an email’s URL, you need to make sure that the URL is taking you to a legitimate site.
How do you find that out? If you’re on a computer, hover your mouse over the link to see a preview of the link in the status bar. The status bar is located by the bottom left-hand corner.
For example, let’s say you get an email from “Target”. The URL in the email should take you to Target.com. If you see something other than Target.com in the status bar, you should not follow that link.
Odd requests are huge red flags. Legitimate banks and other companies will never ask for personal credentials via email. You should be suspicious of all emails requesting your sensitive information.
Does the email in question use your name? Illegitimate emails will often address the receiver as a “valued customer” or something similar.
Also, if your name is misspelled proceed with caution. If this email is legitimate, then that company should have your correct information on file.
Real businesses are serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully, if something seems off, don’t click on anything.
Reach for your phone
A phone call can help you check for authenticity. Going back to that bank example, you could call your bank to see if the email request is legitimate. The bank will be able to let you know either way.
Ask an expert
If you truly do not know whether an email is real or fake, ask an expert. If your company works with an IT service provider, a simple call over to your IT help desk can take the guesswork out of the equation.