Any time you use a website, mobile application, or even answer a phone call you are at risk of being phished. Phishing is when an attacker attempts to steal your personal information; most common passwords and banking information, generally for a financial gain. Phishing is an extremely common form of cyber-attack, which may be particularly damaging, but is also very easy to avoid. These 5 simple tips will help you avoid being phished:
1. Never Give Out Personal Information
Remember, your bank would never ask for your banking details via email, and you definitely don’t have a friend in Nigeria who needs a money transfer. Always be suspicious of anyone asking for banking information, if you’re not sure, call them back at the number listed on their website, or provide the required information in person. Avoid giving out out details over the phone unless you initiated the call; no one should ever call you asking for banking details. The same concept goes for your credentials (i.e., username and password) or any other sensitive information.
Email is not a secure medium, if a company you trust requires access to sensitive information they should provide a secure portal for you to enter the information. A secure website has a green “https” on the left, before the URL. Never submit sensitive information to websites that are not protected by https.
2. Avoid Clicking Links
Phishing e-mails do a great job of spoofing legitimate addresses, creating realistic links, and mirroring the websites you know and trust. In some cases, the link may appear to be from a legitimate website, but when you mouse over, it is actually linked to a completely different domain.
If you get an email requesting personal info, that you think is legitimate, don’t click links because it may redirect you to a malicious website and attempt to collect your personal information. Instead, browse to the company’s website and search for the content you’re interested in.
3. Avoid Downloading Attachments
Be suspicious of unexpected e-mails with attachments; especially if the e-mail body indicates the file is password protected. This is a common method attackers use to avoid being detected by your antivirus. Downloading attachments is fine when you know the sender, are expecting attachments, and the email you receive seems very specific to your relationship with the sender. If you receive an unexpected message containing an attachment, with a generic message (even if you know the sender), be wary.
These emails often utilize scare tactics and instill a sense of urgency to get you to act; it may sound like “URGENT: Someone is sharing this picture of you” or “IMPORTANT: See attached legal document”, if you click the link, you may download malicious content onto your computer. Best case scenario, you have a bunch of pop-ups on your computer, worst case scenario, a hacker now has access to your computer or is logging your keystrokes to allow unauthorized access to your accounts.
If you receive an email that you aren’t sure of, call the sender and confirm the content of their attachment. They might have had their e-mail compromised and not know.
4. Avoid Pop-ups
Legitimate companies would not market themselves through “pop-up” advertising, and they certainly wouldn’t ask you hand over sensitive information, or download a product from a pop-up window. It is one thing to have a pop-up form on a companies website, but if you are on a website and an unrelated pop-up appears, be suspicious.
This often comes in the form of anti-virus software claiming that your phone or computer is compromised and that you must download their software or app immediately. Many phishing scams use these sort of scare tactics to trick users.
5. Be Skeptical
In general; be skeptical. If something seems too good to be true, or makes you uncomfortable then don’t click the link, or provide any information. You can often use a Google search to find out if an email or product is a scam. If a suspicious email comes from a friend or a trusted company, call them and find out if they sent it; it will be good for them to know that someone is either spoofing their e-mail or has compromised their account.
Phishing scams can be very damaging, but can be easily avoided using these 5 tips. If you want to measure your company’s resistance to phishing attacks, contact us; we’d be happy to help.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications