That is not a typo, nor is it a high society twist on regular fishing. Phishing is by far the #1 most common form of social engineering— a fancy term for when a hacker makes up a really convincing story to trick you into doing something for them or granting them access to private information. Phishing is commonly enacted via email, but you can also be phished by text or phone call (smishing and vishing, respectively).
I’d bet gazillions of dollars that you’ve encountered phishy emails before. These emails often try to bait you into clicking a link or opening an attachment that infects your device with malware. Sometimes phishers are incredibly forward and just straight-up ask you for your credentials or personal information (the audacity!). We’ll take a look at other types of phishing in the future. For now, let’s focus on those dreaded email scams - after all, email is the most common way that cyber criminals enact phishing attacks.
EXAMPLE: A “vendor” emails you an invoice for a purchase, but hold on...something smells phishy. The email address isn’t really your vendor’s email address - it just looks very similar (amy@companyname vs amyb@companyname). In fact, it’s so similar that you didn’t realize it was a spoofed email address until, upon downloading the attached PDF, you’ve accidentally installed malware on your device - or until the real vendor emails you her invoice and you realize you paid a phisher!
How Can You Stay Vigilant?
Cybercriminals are crafty little weasels with a lot of practice playing dirty. Luckily, you’re a fox...or a snake. (Those are both natural predators of the weasel...I had to Google that. Sorry to my middle school biology teacher for not properly memorizing the food chain.)
What I mean to say is that you hold the power to protect your organization. There are a few things you can do to avoid phishing scams:
- Trust, but verify. Before responding to an email asking you to download something or share information, double check the sender’s identity. If your “boss” emails you asking you to transfer money, call them and confirm. Just be sure you use a number you already have saved, not one included in the possibly-phishy email.
- Be wary of links and attachments. While not all hyperlinks or attachments are malicious, this is the most popular way phishers get you. Before clicking a link, hover over it and make sure that the destination URL seems legitimate; if the link has been shortened (such as bit.ly or goo.gle links), proceed with caution, as you have no way of knowing where it’s going to take you. Never download an attachment from a source you don’t know. If you are opening an attachment, hover over the file and see what the extension is. If it’s an .exe extension or an extension type that you don’t recognize such as .Ink, etc. - don’t open it! If your email provider allows, scan any attachments for viruses, everytime. Finally, if you’ve downloaded any kind of Microsoft Office file and the program is asking if you would like to “enable macros” or “enable content” - proceed with caution! Enabling macros can cause your computer to become compromised.
- If an email is suspicious, report it! Whether your organization provides a “report phish” button in their email client or you need to contact them directly, tag in the IT team by following your organization’s policies and procedures for reporting. It’s best not to forward a phishy email to IT - or anyone else - because it could put them at risk. Instead, you can email them a screenshot or call or message them to explain what’s happening. Instead, call or message them to explain what’s happening and give them a heads up. The last thing you want is an unsuspecting coworker opening the very link or attachment you’re suspicious of.
Bonus Tip! When working remotely, stay off of public WiFi
Be wary of public networks without password protection. Unfortunately, it’s super easy for a savvy hacker to “spoof” WiFi network names. That open network may say “Starbucks,” but is it really? A hacker can name a WiFi network anything they want!
If you’re logging into work accounts on a hacker’s lookalike network, you could be granting them access to your every move. Be wary of notifications for seemingly familiar software updates (like Spotify or your antivirus) that appear while you’re connected to a public network . These could be fake messages injected by a hacker to get you to download malware. They really are sneaky little buggers, aren’t they?
How can you avoid these WiFi scaries? Always use your own personal hotspot or connect to a VPN when you can’t use your own home or office WiFi.
Knowledge is Power!
Weasels Hackers are going to try and trick you, but you hold the power to better protect our organization.
By learning more about phishing attacks, you’re equipping yourself with the knowledge you need to spot bad actors. Even something that seems small - like reporting a phishing email to IT - can go a long way keeping your company safe.
This month, keep on the lookout for weekly slack messages and emails to learn more about phishing scams and how to outsmart them. Knowing what to look out for is a major WIN worth celebrating, so go get that second cup of coffee. You deserve it.