Phishing is a well-known type of social engineering attack, and yet an estimated 80,000 people fall for phishing scams every day.
These malicious emails or texts look like they are from legitimate sources, but they attempt to trick users into giving up personal data such as credit card numbers or login credentials. Some even install malware that can wreak havoc on a company network and cost the company a fortune in cleanup, fines, and lost customers.
Depending on the permissions granted to an affected account, a successful phishing attempt could give an attacker access to the organization’s most sensitive databases and applications or, in the case of a ransomware attack, allow them to encrypt business-critical data or expose it if a ransom isn’t paid.
In recent years, ransomware attackers moved away from using email in favor of insecure public-facing servers and vulnerabilities in enterprise networks, but lately, security experts are seeing a resurgence in email-delivered ransomware. In fact, the FBI reports that in 2019, business email account compromises resulted in $1.7 billion in losses for U.S. companies.
Signs You Might Be Getting Phished
Cybercriminals are constantly changing their tactics, but there are a few telltale signs an email may be a phishing scam. Malicious emails are often “from” a known or trusted source, such as a bank, credit card company, social networking site, or online store. The sender’s email address may even closely resemble the legitimate company’s address but with discrepancies such as slight spelling differences, missing letters, or altered punctuation, like an underscore instead of a period.
Other red flags to watch out for include:
- Generic greetings or signature
- Spoofed hyperlinks and websites
- Poor spelling and grammar
- Poor formatting
- Suspicious attachments
Once opened, the email copy prompts the recipient to click a link or open an attachment to complete an action. Some common phishing prompts include:
- We’ve noticed suspicious activity on your account
- There is a problem with your billing or payment information
- We need you to confirm your personal information
- You need to pay this invoice
- Click this link to make a payment
- You are eligible to receive a refund from the government
- Claim your prize or free item
What to Do If You Get a Phishing Email
Cybercriminals are adept at getting past malware filters, so it’s likely you will occasionally find a phishing email in your inbox. If you do receive a suspicious-looking email, do not reply to the email, click any links, open any attachments, or give out any information. Immediately forward the email to the appropriate IT security administrator in your organization so they are aware of the phishing attempt and can deal with it appropriately.
What to Do If You Fall for a Phishing Scam
With a global pandemic on everyone’s mind and the constant barrage of distractions to navigate when working from home, there is an increased chance that you or someone in your organization will click a bad link or be tricked into revealing sensitive information.
It’s important that all employees are educated on cyber hygiene and that they know what steps to take if they fall for a phishing scam. The most immediate actions to take after an attack include:
- Report the incident to the appropriate people immediately
- Disconnect from the network
- Isolate infected computers
- Change passwords
- File a report with the Federal Trade Commission if appropriat
Tips to Avoid Being the Victim of a Phishing Attack
Phishing is on the rise in the wake of COVID-19, and many of the attempts use pandemic-focused messaging to trick users. Following a few best practices can help employees avoid being a victim of a cyberattack and protect your organization’s data and applications from exposure or loss.
- Be suspicious of unsolicited phone calls, emails, or texts asking for internal information
- Do not provide personal information or information about your organization, including its structure or networks
- Do not reveal financial information in email
- Do not click links in emails asking for personal or financial information
- Do not send sensitive information over the internet before checking the website's security (e.g., https, padlock)
- Do not attempt to verify a suspicious email request by using the contact information in the email
Investing in a comprehensive cybersecurity and data protection solution is a highly effective way to save your organization from the expense and headache of cleaning up after a cyberattack. Look for a solution that includes signature-based and signatureless malware detection, deep learning neural network, and anti-exploit technology so your systems are protected from both known and unknown threats.
Because you never know how much or what kind of damage a cyberattack will do, it’s crucial to select a comprehensive solution that integrates cybersecurity and data protection, like Arcserve solutions secured by Sophos. Download Your Guide to a Ransomware-Free Future to learn more about how comprehensive cyber and data security can protect your organization from both today’s and tomorrow’s cyberthreats.