Phishing Emails: Resist the Urge to Click
October is Cybersecurity Awareness Month, which was established 18 years ago by the Cybersecurity & Infrastructure Security Agency (CISA). With the brutal consequences of poor cybersecurity hygiene and the impact it can have on your business and personal life, every month should be Cybersecurity Awareness Month! Each week, CISA rolls out a new theme, and the focus for this week is “Phight the Phish!.”
In recent years, phishing attempts have been on the rise resulting in compromised accounts, ransomware, lost time and funds, as well as widespread spam and fraud. As our world continues to move toward more of a virtual setting, users should be aware of the risks and ways fraudsters can attempt to get your information.
What is Phishing?
The term “phishing” should be familiar to most individuals in today’s world. Phishing can be defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers (Oxford Dictionary). Phishing attempts use a form of manipulation called “social engineering” to result in action from the targeted user. Social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes (Oxford Dictionary). Fraudsters have become more and more clever when it comes to these attempts to access your account, and that requires a response from the user.
Examples of phishing and other potentially harmful emails can include subjects such as expired passwords, invoice or fax attachments, shared folders or files, and credit card or payroll information.
To help a user identify whether an email is “good” or “bad”, there are some general questions you should ask:
- Was I warned about this email by my IT staff?
- Companies that have a full-time IT staff may be aware of a phishing email circulating your company or area and often communicate that to your organization. Simply put, be sure to read those emails from your IT team. Doing so can save you from an awkward conversation.
- Should I open the email?
- Some phishing attempts can appear obvious from the title of the email and the sender. Other times it is hard to tell. Before opening an email, you should be sure that the visible information checks all of the boxes for a legitimate email. Some phishing emails or emails containing malware, and viruses can be executed by simply opening the email.
- Am I expecting an email from this user?
- Often times an email coming from an individual of high authority can result in immediate action. That is what a fraudster is expecting. Asking yourself “why” is the best way to combat these kinds of phishing attempts.
- Does this email seem legitimate?
- Phishing emails can often times look real, use actual logos, or appear to be coming from a known individual to the user. Attention to detail is an important aspect of picking out a phishing email.
- Did this email come from a known email address or sender?
- Phishing emails often “mask” email addresses making it hard to see where the actual email is coming from. Many companies have implemented a banner to warn the user that the email came from outside the network. Phishers can also duplicate this so it is important to be alert.
- Does this email require action?
- Some users can be “click-happy”, and that is what phishing attempts try to exploit. Prior to taking any action, be sure to read the email thoroughly.
- What action or information is the email requesting of me?
- In some emails it can be obvious, such as changing an expired password or accessing a document or file. If the email is directing you to the internet or telling you to open a file, be cautious when taking the next step.
- Are there any attachments or links in the email?
- Phishing emails often notify you of an expired password or a file that you need to view. Before clicking on any attachments or links, be sure the email meets all of the criteria of a legitimate email.
- Can I verify the validity of this email with the individual?
- If the email appears to be a legitimate email, verifying with the individual who sent the email can be another form of confirmation. You should not reply to the email or use any contact information in the email to contact the individual in the case that the individual’s email or phone have been compromised.
When it comes to phishing attempts and bad emails, one wrong move can result in a world of headaches for the user and for the organization. Before you open that new email, asking yourself these simple questions above can help you in identifying these types of emails.
Be Aware, Be Diligent, Remember your training and Resist the Urge to Click. Your IT professional/team will thank you.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. Please reach out to David Hammarberg at dhammarberg@macpas.com. We can answer any questions and help you determine if a SOC for Cybersecurity report would be useful for your company.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more