Did you know? Any time you use a website, mobile application, or even answer a phone call you are at risk of being phished.
Phishing is so prevalent, in fact, that 88% of organizations globally have been the target of at least one spear-phishing attack that has compromised employee information, banking passwords, or other key internal data.
So how do you avoid falling for phishing hook, line, and sinker? Our pentesters have compiled 5 tips you can start implementing today to keep you and your organization safeguarded:
1. Never Give Out Personal Information Online
Remember: your bank would never ask for your banking details via email, and you definitely don’t have a friend in Nigeria who needs a money transfer.
Always be suspicious of anyone asking for banking information; if you’re not certain that the person is authorized to be asking for said information, call them back at the number listed on their website or provide the required information in person. The same concept goes for your credentials (i.e., username and password) or any other sensitive information.
This is especially true for email, which is one of the most-used communication channels across all industries. Email is not a secure medium: if a company you trust requires access to sensitive information, they should provide a secure portal for you to enter the information. A secure website has a green “https” on the left, before the URL. Never submit sensitive information to websites that are not protected by https.
2. Avoid Clicking Suspicious Links
Phishing emails do a great job of spoofing legitimate addresses, creating realistic links, and mirroring the websites you know and trust... and are a large part of why most anti-phishing strategies fail. In some cases, the link may appear to be from a legitimate website; however, when you mouse over, it is linked to a completely different domain.
If you get an email requesting personal info you think is legitimate, don’t click links because it may redirect you to a malicious website and attempt to collect your personal information. Instead, browse the company’s website and search for the content you’re interested in manually.
3. Don't Download Attachments
Be suspicious of unexpected e-mails with attachments; especially if the e-mail body indicates the file is password protected. This is a common method attackers use to avoid being detected by your antivirus. Downloading attachments is fine when you know the sender, are expecting attachments, and the email you receive seems very specific to your relationship with the sender. If you receive an unexpected message containing an attachment, with a generic message (even if you know the sender), be wary.
These emails often utilize scare tactics and instil a sense of urgency to get you to act; it may sound like “URGENT: Someone is sharing this picture of you” or “IMPORTANT: See the attached legal document”, if you click the link, you may download malicious content onto your computer. Best case scenario: you have a bunch of pop-ups on your computer. Worst case scenario: a hacker now has access to your computer or is logging your keystrokes to allow unauthorized access to your accounts.
If you receive an email that you aren’t sure of, call the sender and confirm the content of the attachment. They might have had their email compromised and not know.
4. Decline Pop-Ups
Legitimate companies would not market themselves through “pop-up” advertising, and they certainly wouldn’t ask you to hand over sensitive information or download a product from a pop-up window. It is one thing to have a pop-up form on a company's website, but if you are on a website and an unrelated pop-up appears, be suspicious.
This often comes as anti-virus software claiming that your phone or computer is compromised and that you must download their software or app immediately. Many phishing scams use these sorts of scare tactics to trick users.
5. Stay Skeptical
In general, stay skeptical. If something seems too good to be true, or makes you uncomfortable then don’t click the link, or provide any information. You can often use a Google search to find out if an email or product is a scam.
If a suspicious email comes from a friend or a trusted company, call them and find out if they sent it; it will be good for them to know that someone is either spoofing their email or has compromised their account.
Phishing scams can be very damaging, but are easily avoided using these 5 simple tips.
Looking to measure your organization's resistance to phishing? Download your complimentary recording of our in-depth Phishing for Initial Access webinar to learn even more anti-phishing strategies.
Sign up for our newsletter
Get the lastest blog posts in your inbox biweekly!