Understanding and Avoiding Phishing Attacks

by Jesse Connolly

If you want to partake in an eye-opening little exercise, open your contacts list and scroll through the first 100 entries. What would you say if I told you 97 of those names were a cybersecurity threat?

According to extensive research by Intel, only three out of every 100 people can successfully identify a phishing email.

If you’ve managed to avoid falling for social engineering – the psychological manipulation that takes place when a hacker attempts to trick or even scare you into downloading a malicious file or coughing up sensitive data like your log-in credentials – it’s likely the same can’t be said for everyone throughout your organization.

We are all emotional beings in nature, and that’s exactly what social engineering preys on, with phishing emails striking fear into us with messages about our mailboxes being deleted or accounts being suspended, or they pique our curiosity, telling us we’ve got a package on the way, or a new comment on our LinkedIn page.

We let our guard down. We click. We fall right into the trap.

Most professional outlets have a number of safeguards in place to help thwart these dangers, from antivirus software to spam filters, but the individual isn’t just the last line of defense; he or she is the most important one.

There are a handful of steps you can take to avoid falling for social engineering, namely phishing emails.

1. Don’t trust the display name. Anyone can change their display name to something other than their given name. For instance, I could sign into Office 365 and say my name is Bank of America Support. Look for their actual email address. You can do so in Outlook by double-clicking on the sender’s name.
2. Look but don’t click. Hover over the link before clicking on it. If it doesn’t point to a corresponding website, it’s almost certainly no good.
3. Check for typos. Hackers have made big strides on this front, but if something is rife with typos, that’s usually a tell-tale sign.
4. Analyze the greeting. If Bill always says “hey” but suddenly his email begins with “Dear friend”, that should set off your alarm bells.
5. Don’t fork over personal info. This isn’t limited to your social security number. If you’re not talking to a trusted source, don’t tell them things they don’t need to know.
6. Be leery of threatening language in the subject line. Sometimes immediate action is genuinely required, but this is a very common tactic when it comes to phishing emails. Don’t panic. Make sure it’s legitimate correspondence.
7. Review the signature. We’ll use Bill again from earlier. If he never signs emails with “Warmest regards,” something’s not right. For emails from the likes of Microsoft, DocuSign, inspect their signatures, including logos. But also note that these can be forged, too.
8. Don’t click on attachments you weren’t expecting. Viruses, malware and the like can hide in any file type other than .txt. That means Word documents and even PDFs can be used to wreak havoc on your machine upon being downloaded.

As the people development manager of network coverage, it is important that I train our techs on how to best leverage our tools, which include robust anti-malware and email filtering solutions, to protect our clients. It is also important for me – and our team, as a managed service provider as a whole – to properly educate users on how to identify and avoid falling for phishing emails.

Scrutinizing every email that comes in may sound tedious, but it’s a small price to pay if it means avoiding being among the 97% that fall for the ruse and put their personal data, their company’s data, finances and reputation in danger.

If you have any questions about the security of your company’s data or the behaviors of your users, feel free to reach out.  We’re always happy to help.

Jesse Connolly is the people development manager at Network Coverage,  a managed IT service for small businesses.