We’ve all received those obviously bad attempts at phishing in our emails referencing our PayPal or Amazon accounts. But if they’re so obvious, why do hackers continue to send them? Because some people do fall for those attempts.
There are cybercriminals who send more advanced phishing attempts to businesses and even trained employees, and often, thanks to social engineering, these attacks can be successful. So how can you be safe against phishing and social engineering? Knowing what to look for, knowing the steps to secure your company, and undergoing a risk assessment are 3 musts.
What Is Phishing?
Phishing refers to emails, texts, and other messages that have the sole purpose of trying to steal your personal or business information. They can include content that claims your account has been breached or your password has been used, or malicious downloads. It may originally look like you’re clicking on a legitimate website and entering in your username and password, but you are, in fact, giving them to cybercriminals. Links and downloads can also infect your files and computer, causing it to lock up or give the criminal access to vital business operations.
An example of phishing would be an email that looks like it came from Amazon. They are asking you to log into your account using the provided link because it is about to be frozen. The link won’t lead you to
your Amazon account, in fact, it goes to a fake site that will collect your personal details or download malicious content.
What Is Social Engineering?
Phishing is actually a type of social engineering. Social engineering as a whole, though, refers to the deception and manipulation of people to the point they reveal confidential or personal information. This can include Social Security numbers, access to bank accounts, passwords, driver’s license details, and more. Successful social engineering can result in loss of business-critical operations, access to confidential client information, payment of fake invoices, and identity theft.
Another example of social engineering is text messages or emails that seem to come from the owner asking that the employee transfer money to a new business partner. When checked on, however, the business partner doesn’t actually exist, and it wasn’t the owner sending the request.
What Should You Look For To Prevent Phishing and Social Engineering Attacks?
Some phishing and social engineering attempts are obvious. Typos, odd email signatures, off-brand content, announcements that you won a contest you didn’t sign up for, and weird links are just some of the signs. But more advanced attempts will be harder to spot! Here are a few that are not so obvious:
- Urgent requests or actions that need to be taken
- Phishing and social engineering attempts tend to use a sense of urgency to make you act quickly. Only upon reflection do you realize it’s probably a scam.
- Odd greetings
- You’re probably familiar with how your co-workers, peers, and bosses speak to you in emails. If an email or text comes with strange greetings or phrases that are not normally used in conversation or office interaction, it could be from a cybercriminal.
- Unprompted requests for login credentials or other sensitive information
- If you receive an email saying someone tried to log in to your account, and it wasn’t you, double-check the content. It could be trying to send you to a scam page.
- Requests for 2-Factor Authentication (2FA) codes
- In some social engineering attempts, the cybercriminals will act as if they’re representing a business and will need your 2FA code. Never give these out!
- Suspicious attachments
- If you didn’t request a document or the attachment seems off, it could be another sign of a scam.
Tips To Stay Safe
Here are a few tips that can help you and your employees improve cybersecurity around the workspace and not fall victim to social engineering attacks:
- Head to the website yourself.
- If you’re suspicious of an email or text received, don’t use the provided link.
- Don’t download anything you didn’t request and isn’t properly vetted.
- All documents and attachments should be properly vetted before they’re downloaded. Never download something you didn’t specifically request or anything that has .exe in the file name.
- Make employee cybersecurity training mandatory.
- All employees should receive training in order to spot phishing and social engineering attempts. They should also be kept in the loop for new and potential threats.
- Create a cybersecurity policy that keeps social engineering in mind.
- You should have risk assessment plans in place for mobile devices, firewall installations and updates, software and hardware updates, remote work, and 2FA. Partnering with a cybersecurity provider will also be key to developing your strategies and taking advantage of must-have resources.
- Plan ahead with disaster recovery.
- Human error is one of the prevailing reasons that these attempts are successful. Even with training, mistakes can happen. Disaster recovery ensures you have a backup, even if the worst should happen
How Can TAG Help You With a Risk Assessment and IT Support?
Understanding your risk can help you keep phishing, social engineering, and other cyberattacks at bay. A risk assessment could be exactly what your organization needs to improve security. And ongoing IT support can allow you to rest easier knowing your systems are being monitored for cyberthreats at all times, you have access to disaster recovery services, and you have top-notch resources to protect your business, customers, and bottom line.