Coming into contact with phishing scams has become a common occurrence for businesses. The combination of low, upfront costs and a high success rate keeps phishing popular. Bad actors rely on phishing as a precursor to many dangerous attacks, such as ransomware, account takeover, and business email compromise (BEC). 9 in 10 cyberattacks start with phishing. While the repercussions of a successful phishing attack can be devastating for organizations, knowledge, and awareness can help stop an attack in its tracks with timely detection and elimination. Read on for recommendations on defending yourself and your organization against phishing attacks.

• 10 Phishing Awareness Tips:

In a typical phishing attack, scammers use legitimate-looking communication, usually email, asking users to download a malicious file or prompting them to visit a phishing site that mimics legitimate sign-in pages to trick victims into handing over sensitive data like credentials, financial information, and account information.

Here are some tips to help you spot and stop a phishing scam when it comes your way.

1.Assume links and attachments in suspicious emails are malicious.:

Unless you’re sure about the sender, avoid clicking on embedded links or attachments at all times. Scammers often use vendors’ or third-party spoofed addresses to gain your trust. Once you click the link, it might take you to a spoofed website, prompting you to divulge your user credentials or account details. If you’re unsure about a link, visit the website directly through your browser instead of clicking on the embedded links.

Many scammers also use typosquatting website links in phishing emails to target people who are not paying attention. It is a tactic used by scammers who register a common misspelling of another organization’s domain to steal a user’s personal information. Check for “https” in the address. The “s” indicates encryption is enabled for the website, and most legitimate companies have moved to this secure domain structure to protect their users’ information.

Additionally, avoid downloading any attachments from an untrusted source since it may lead to the unwilling installation of malware, like viruses, spyware, and ransomware. The malware gives threat actors unlimited access to your systems and data.

Tip: Always cross-check the sender’s address and never open a link or download an attachment from a suspicious email.  

2. Don’t automatically assume senders are legitimate:

These days, cybercriminals use advanced tools to spoof a famous brand’s email address with great accuracy. If an email asks for sensitive information, you should contact the sender via another communication channel instead of replying to the email before divulging any information.

Cybercriminals can also send you emails from one of your colleague’s compromised accounts. So, if you encounter a potential phishing email, contact the colleague directly before replying.

Tip: Communicate directly to avoid falling for phishers’ traps.

3. Look out for generic greetings or appearances

Most organizations personalize their emails to establish better relations with their clients, so an email with a generic salutation, like “Dear sir or madam,” could be a warning sign of a phishing email. Avoid clicking on links and attachments in these emails, and perform proper due diligence before interacting with them.

Tip: If it’s a generic header, ignore the email.

4. Stay alert for poor spelling and bad grammar:

Another red flag in an email is misspelled words or incorrect grammar. Many non-native English speakers use translation tools to draft phishing emails, leading to grammar or spelling irregularities. Unfortunately, the advent of Chat GPT and GTP 3 is making it easier for bad actors to write believable messages.

Sometimes, phishers use poor spelling and bad grammar to avoid spam filters that block these attacks. Several cybersecurity professionals also believe that spammers use errors in their phishing messages to weed outsmart and aware individuals. You can stay off cybercriminals’ radars by not interacting with the email or reporting it as spam.

Tip: Most companies have an editorial team, so if there are obvious errors, it is most likely a phishing email.  

5. Be wary of urgent language and immediate calls to action:

Scammers don’t want to give you time to think and try to create a false sense of urgency, forcing you to take immediate action. For instance, threat actors send spoofed emails to an employee claiming to be somebody from higher management. They ask employees to immediately send sensitive business information or perform an unsanctioned financial transaction. If you have received any emails asking you to take prompt action, you should contact the sender directly through any other communication channel.

Tip: Never promptly respond to an email that calls for immediate action. Think, pause, and talk to the sender before taking action. 

6. Be extra protective of your personal information:

One of the primary goals of phishers is to steal your personal information, such as name, email address, job title, phone number, address, and bank account information, through phishing campaigns. If they have your personal information, they can use deceiving social engineering tricks to launch targeted attacks on you. Also, never disclose information about your colleagues, remote network access, organizational practices, or strategies to an unknown individual or entity.

Tip: Never provide your personal information unless it’s to a trusted person or website. 

7. Make a habit of flagging spam emails

Flagging an email as spam helps your email provider filter emails efficiently and send them directly to the spam folder or block them entirely. The client also blocks similar emails, protecting you from further phishing attempts.

Tip: Don’t just delete phishing emails; flag them.

8. Don’t forget that phishing goes beyond email

In the last few years, threat actors have developed many innovative ways, apart from emails, to launch phishing attacks. One is smishing, in which scammers send bogus text messages that appear to come from a legitimate source, such as a bank or a trusted site. These messages also have a sense of urgency and request the recipient to click on a link or reply with personal information.

Another phishing method is vishing, which involves defrauding people over a phone call. Hackers use VoIP to spoof caller IDs, making their calls seem legitimate.

Tip: Don’t provide personal information on a call or through SMS if you know their legitimacy. 

9. When in doubt, contact your IT department

If you encounter a potential phishing email, give the details to your IT department and flag it as spam. Your IT team can verify the email’s authenticity and instruct you on further action. If you have clicked on a link or downloaded an attachment, ensure the IT team knows it.

Tip: Timely reporting of a phishing email to your IT department can drastically reduce the duration and impact of a phishing attack. 

10. Utilize phishing simulation software to drive awareness

A phishing simulation software leverages phishing exercises that look like real-world cyber threats that users may encounter. It empowers employees to detect and eliminate phishing attacks in a safe environment. This helps reduce employee errors, minimizing cyber-risks for organizations. Security awareness training reduces a company’s chance of a security disaster by up to 70%.

Source: ID Agent