How many times a day do you get an email with a link to a website? Chances are high that you see a lot of these emails, day in and day out. This may go a long way in explaining the upswing in phishing emails.
What is phishing?
Phishing is the attempt to obtain something of value by posing as a trustworthy entity in an electronic communication—usually email—and either asking for information outright or leading the intended victim to a website which attempts to download malware to their computer or phone.
What can happen if I fall for a phishing email?
A common phishing scam looks like this: The intended victim receives an email that appears to be from an entity known to the user. Often there is a social engineering angle to the content of the email that attempts to make you more likely to react impulsively.
For example, you might receive an email that appears to be from InternalIT@yourcompanyname.com that tells you that your company internet access will be suspended unless you click a link and reenter your login credentials. The link may look legitimate, but if you hover over it with your mouse, your browser will show you the actual URL that the link will take you to. If you click the link anyway, you may be taken to a web page that looks authentic, with all the right logos and so on, but once you enter your login credentials there, someone else has them and can use those credentials to gain access to your network and all the data that it contains.
Another common phishing practice is to send what appears to be an unexpected invoice for a large amount—this can put you off your guard. Electronic document signature services are a relatively new thing, but scammers have already figured out how to impersonate these services and present you with a link to a site where you supposedly can view and sign the document electronically. This strategy tries to take advantage of your natural curiosity.
Or, the website may simply download malware to your computer which can potentially allow hackers direct access to your network, or encrypt your network’s files and post a demand for payment to recover them (ransomware). Or the website may do all of these things.
How do I protect myself?
The first rule is to think twice before clicking on ANYTHING in an email. A few things to think about:
- Is the email unusual? In the case of the example above, does your IT department ever send emails that ask for your login credentials?
- Are there obvious spelling or grammatical errors in the email? This used to be an easy way to identify a bogus email, but the bad guys are getting better at this all the time.
- Do links in the email go to where they say they do? Mouse-hover over all links to see where they really go, and don’t be fooled if some of the links are actually valid. Often, a phishing email purporting to be from a known entity may include links to pages on the actual web site that it’s trying to impersonate, such as privacy notices and so on, but the one link that the email wants you to click on can be the one that does bad things.
If you’re in doubt about an email, and you’re not sure if it’s legitimate, check it out—if the email appears to be from an individual, contact them to confirm that the email is valid. Very important – do not reply to the original email, as it may go somewhere that you’re not expecting it to go. Instead, contact the alleged sender in a separate email or by some other means. If the email appears to be from an organization that you have an account with, log into your account there directly, rather than following the link in the email. Chances are good that if the suspect email is legitimate, you’ll be able to find the same information on the real website. If not, you may have received a phishing email.
The bottom line is that phishing is one of the easiest and quickest ways for the bad guys to get into your system—it costs them virtually nothing, and the payoffs can be significant. A valid Medicare number plus some supporting medical and demographic info sells for far more on the black market than a credit card number does, as the credit card number can only be used fraudulently for a short time, while medical records can be used to file false claims, potentially for years.
Remember—YOU are the last line of defense—your network security may be military-grade, but it only takes one bad click for your organization to make the evening news.