October is National Cyber Security Awareness Month. At CBTS, we spend our whole year talking to customers about how to improve their organizational security practices, but in October, we use the increased attention to focus on some of the most effective things individuals and companies alike can do to protect themselves and their data.
Side note: be sure to get a card and something nice for the cyber security professionals in your life! I happen to like anything chocolate, just FYI.
So what is Phishing?
Phishing is an attempt to obtain sensitive information from a user by pretending to be a legitimate entity, most often through email communication. In a typical phishing scenario, attackers will disguise themselves as legitimate organizations, such as your bank, social media, technical or customer support, and attempt to extract information from you either by requesting you click on hyperlinks inside the email, replying to the email with personal information, or downloading attachments that then can infect your computer.
Below we will examine an example phishing attempt using the tips we cover.
1. Healthy Suspicion and Common Sense
One of the easiest and quickest ways to determine the legitimacy of an email is to use your brain. When you receive an email promising you easy money, telling you your banks accounts have been frozen, urging you to act immediately, or telling you you've violated the law, stop and take a moment to consider the likelihood this email being real.
Below are a few quick and easy questions to ask yourself when believe an email may be a phish:
- Am I expecting this email?
- Does the email contain noticeably bad grammar, threats, and promises of easy money?
- Is this email asking me to click on a link or download an attachment?
- Is this email asking me for personal information?
Example: Notice the grammatical mistakes.
2. Hover, Don't Click!
Often times when you see a link in an already suspicious looking email, it's probably a phish. If you did not explicitly ask for a link and the email seems out-of-the-blue, be cautious. The visible link may appear to be from your bank, social media accounts, or even from your employer, but it's important to never trust these links.
- 1. What to look out for: Unsolicited links in emails. If you aren't expecting or didn't ask for the link, do not click.
- 2. How to spot and verify: Hover, don't click, over the link and look for the real destination address. The real destination address may appear next to the link or near the bottom of the window.
- 3. What to do instead: Never click on any link inside an email that you aren't expecting.
Instead of clicking on the link, hover your mouse over the link which will reveal the actual address. The real address may reveal itself next to the hyperlink or in the lower left-hand corner of your browser.
Example: Notice when the mouse is hovered over the link, the visible link says Secure Online portal but the real URL is revealed as https://YouShouldNotHaveClickedThis!.com
3. Be Wary of Attachments
Attachments are a very common tactic scammers will use to try and install malicious software on your computer. Attachments may contain malware which can steal your personal information, compromise your machine entirely, and even infect other machines. Attachments are used frequently with legitimate uses, so it's important to be cautious and only download attachments from recipients you are expecting them from.
If another computer is infected, they could be trying to infect you too. Some attackers can trick you and make it appear an email came from your boss as well, so be careful with attachments.
- 1. What to look out for: Emails asking you download attachments you aren't expecting, even if you know the sender.
- 2. How to spot and verify: Make sure the attachment and sender are both expected. Even if the email appears to be from your boss, if you aren't expecting it, it may be a phishing attempt.
- 3. What to do instead: Never download an attachment from an email that you aren't expecting. If you are unsure, give the recipient a phone call, talk to them in person, or email them separately to verify whether or not they sent you the attachment.
Example: Notice the attachment. Why would your bank be sending you a spreadsheet?
4. Look Out For Macros!
Exercise extreme caution with macros when viewing Microsoft Office documents. Though macros have practical business uses and are widely used, they can cause irreparable harm to an individual or an entire organization. When you receive a macro-enabled Office document, whether that's an Excel spreadsheet or Word document, be very cautious. Just like downloaded attachments, macros can give an attacker all the room they need to completely take over your machine and cause harm to you and your organization.
Even if you're expecting an email with an Office attachment, you should still exercise caution. You should only enable macros in an Office document if and only if you are explicitly expecting one.
For example, if your boss tells you he will be sending you an Excel spreadsheet later on in the day, the Spreadsheet is probably safe.
5. Don't Talk To Strangers!
- 1. What to look out for: Macro-enabled Office documents. Even if you know the sender, be cautious.
- 2. How to spot and verify: If you aren't expecting a macro-enabled Office attachment, be extremely cautious. You should only download attachments you are expecting.
- 3. What to do instead: To be safe, verify with the sender that their document had macros enabled.
One of the biggest red flags pointing towards a phishing attempt is the request of personal information, either by filling information out through your browser or replying to the email itself. With the information often requested by scammers, such as "Mother's maiden name" or the last 4 digits of your social security number, attackers can almost certainly take control of your account by calling up your bank and providing this person information.
Almost all legitimate organizations will email you by your first name, never "Dear Customer/User". Remember, it is extremely unlikely a bank or any other legitimate organization will request such personal information from you through an email.
- 1. What to look out for: Emails asking you to fill out or respond with personal information about yourself or online accounts.
- 2. How to spot and verify: If an email is asking about details you wouldn't give to a stranger, do not click on any links or respond.
- 3. What to do instead: Never click on a link or respond to an email requesting personal information. Your bank will almost certainly never request personal information over email.
Example: Notice the greeting as "Dear User". A real bank or institution will always address you by your real name .6. What's The Rush?
A phishing email may try to try to invoke a sense of urgency or fear. This may come in for the form of email subjects such as "IMMEDIATE ACTION REQUIRED" or "WARNING: ACCOUNT SUSPENDED". While these may be the subjects of authentic emails, scammers will often try to make you a victim by deceiving you into acting quickly and without reason.
Often included in these emails are links to click on, but instead of immediately reacting to an email, stop and think. Is this email trying to scare me or make me worried? Is there also a link in this email?
- 1. What to look out for: Emails asking you to act immediately or attempt to frighten you
- 2. How to spot and verify: Carefully examine any email purporting to be from your bank or other final institutions. These organizations will rarely include links in their emails. Hover, don't click, over the link and look for the real destination address. The real destination address may appear next to the link or near the bottom of the window.
- 3. What to do instead: Never click on any link inside an email that you aren't expecting. Instead, manually login to your bank account or account in question to verify any claims.
Example: Notice the invoked sense of urgency and the grammatical mistake
Well that's all for now folks. Remember, practice common sense, and when in doubt, don't click on any links and follow up manually with the sender. By following these simple steps, you greatly decrease your chance of falling victim to a phishing email.
So enjoy National Cyber Security Awareness Month!