Phishing attacks are a common type of cybercrime that organizations deal with. It's important to know how to stop these scams.
A Digital Guardian report says 90% of data breaches happen because of phishing. Venari Security found that organizations lose about $181 (£150) for each personal information piece stolen in online scams.
So, what can you do to avoid falling for phishing attacks? In this blog, we'll share our top ten tips.
1. Be careful when clicking on links or downloading attachments.
Scammers use various tricks to deceive people. Some fake messages might seem like security warnings, while others offer big discounts at online stores.
No matter what these messages look like, they aim to trick you into clicking harmful links or downloading infected files.
MailGuard found an example where the message looks like a security alert from Netflix.
So, it's important to be cautious when an email tells you to click a link or download something.
Not every message with a link or attachment is fake. There are many valid reasons someone might send you these. But these requests are often signs of a phishing email.
If you get such a request, take it as a warning and watch for other signs of phishing emails.
2. Use multi-factor authentication (MFA).
In many phishing scams, attackers try to get your password to access your account. They often do this with fake links or attachments, as we discussed earlier.
A fake link might ask for your login details directly. A fake attachment might install a keylogger, which is malware that tracks what you type to steal your login information.
Even if your password is strong, it won't help if you give it to scammers.
That's why MFA is so important. It adds a second layer of security to your login process. You need to provide a second piece of information, along with your password, to log in.
A typical MFA system will ask for another set of credentials after you enter your password.
The most common extra factor is an OTP (one-time password) sent to your phone or email. Some systems use hardware tokens, which are USB-like devices that generate OTPs. Others use biometric data, like fingerprint scans or facial recognition.
Hardware tokens and biometric data are more secure because they need a physical device or the person's body to log in. But they can be costly to set up. With biometric data, organizations must handle sensitive information, which can be risky if exposed.
When you set up MFA, think about which method balances user security with your information security risks.
3. Use antivirus and anti-malware software.
Antivirus and anti-malware programs are essential for preventing phishing attacks.
They do two important things to fight against scams. First, they warn you if an email has an attachment from an unknown sender, reminding you that it could contain malware.
Even if you open the attachment, the software scans it for anything suspicious.
It's no surprise that antivirus and anti-malware software are popular tools for both organizations and individuals.
There are many products available. While paid programs have been popular, many operating systems now include built-in antivirus tools like Windows Defender, which are good at detecting scams.
4. Stay updated on the latest trends.
Scammers often use current events to create phishing schemes. For example, during tax season, there's usually a rise in phishing attacks pretending to be from HMRC or the IRS.
They also use news stories or popular events, like sports events or elections, to lure people into their scams.
By using topics that are already on people's minds, scammers make their attacks seem more legitimate. People are less likely to see it as a random email and might even link it to previous discussions from trusted sources.
Luckily, people are quick to share these scams to warn others. IT Governance, for instance, shares the latest phishing trends in their "catches of the month" feature.
It's important to watch out for these alerts so you can be ahead of the scammers.
5. Use a password manager.
Using weak passwords is a big mistake when fighting phishing. Reusing the same password for multiple accounts puts you at risk.
Phishing emails often try to get your login details. They might send you to a fake website where you're asked to enter your username and password.
Attackers then use these credentials on other sites, like online banks, where you store important information.
To stay safe, use unique passwords for each account. It can be hard to remember them all, so a password manager can help. It creates strong, unique passwords for you and stores them securely.
6. Don’t share sensitive information.
Sharing your password with others is a big mistake. Even if you trust the person, it defeats the purpose of having a password and can lead to serious issues.
For example, if a colleague asks for your password to access a software system, you might think it's harmless to share it. But if something goes wrong while they're using your account, you'll be held responsible.
Worse, the request might not even be from your colleague but from a scammer who tricked you into sharing your password. They could then access the system and cause damage.
Never share your password with anyone. If someone needs access, either do the task for them or direct them to someone who can set up their own login.
7. Enable spam filters.
Spam filters help identify phishing emails. Like antivirus software, they warn you about suspicious emails from untrusted senders.
While most spam is harmless and easy to recognize, spam filters also block more sophisticated phishing scams that are harder to spot.
8. Be cautious of unexpected phone calls or texts.
Phishing isn't just about emails. Scammers also use phone calls ('vishing') and text messages ('smishing').
Phone calls can be especially dangerous because scammers can sound convincing and create a sense of urgency. This pressure makes it harder to think clearly and verify the request.
Similarly, smishing scams use text messages to exploit the urgency and lack of information provided by the format. Unlike fake emails or calls, scammers don't need to replicate a specific style or form in text messages.
In this example, as seen by Proofpoint, the scammer includes a link to a fake website.
Scammers find it easy to trick people because even real messages often contain only a phone number, a short message, and a shortened URL. This makes it easier for criminals to copy real messages and deceive people.
To avoid smishing attacks, be very cautious with unsolicited text messages that ask you to take action. The message might ask you to follow a link, like in the example, or it might ask you to reply to test if you'll fall for their trap.
If you're unsure if a message is real, find a trusted contact number for the organization and ask them to verify the request.
9. Regularly check your bank statements.
Scammers often try to steal money directly by compromising payment card information.
You might not always prevent this, as scams are getting more sophisticated. But you can catch them early by reviewing your bank statements for any large, unauthorized transactions.
Scammers often try to hide the money's source by buying online gift cards and then returning the items for a refund.
Checking your bank accounts regularly can help you quickly spot these fraudulent activities and freeze the compromised accounts.
10. Staff training is crucial.
In organizations, training employees is the best way to prevent phishing attacks. Your employees are the last defense against scams, and their response to phishing emails determines the security of your data.
We've talked about tools like antivirus software, spam filters, password managers, and two-factor authentication, but they only work if used responsibly.
Employees need to understand the threat of phishing and know how to spot a malicious message. They should also be familiar with your organization's information security policy and follow the guidance you provide.
IT Governance offers staff awareness training to help you and your team deal with phishing threats effectively.
This 45-minute course was created by experts and includes real-life examples to illustrate the threat of phishing and the techniques used by cyber criminals.
With our interactive learning and online assessment tools, you can ensure that your staff actively participate and understand how to protect their sensitive information and prevent data breaches.