Phishing and its derivative attacks are without a doubt the most successful method of perpetrating data breaches. These social engineering attacks come in many forms, but each one targets the weakest link in your security chain–humans. The best device and network security solutions are immediately compromised when an employee willingly hands over login credentials, no matter how unwittingly they do so. Identity theft is also one of the fastest-growing areas of cybercrime, and phishing is a prime avenue to target victims for that as well.
What Is Phishing?
As we mentioned above, phishing is a social engineering attack. It focuses on and exploits natural human tendencies to be cooperative, helpful individuals who are ensuring repeat business by doing their best for their clients. Traditional phishing takes place as an email sent to a person or business masquerading as official communication from an executive, customer, or contractor. This email will entice the recipient to take some form of action whether it be to click on a link, open an attachment, or download a file. In other cases, the email sender’s account may be spoofed to appear to be an internal company account, and for example, may be sent to accounts payable from the CFO directing them to wire money on his behalf as he will be out of phone contact or another contrived circumstance.
In some cases, the ruse ends there. That link or file may have installed malware or a keylogger on the device used, and the next time that a secure system is accessed, the login credentials are immediately transmitted to the cybercriminals. In others, that link may redirect you to a fraudulent website that appears to be your legitimate online banking portal or another website. Once the username and password are entered, the attackers are then free to use them on the real site to access personal or business bank accounts or other sensitive information.
Other types of related attacks are:
- Spear phishing: a targeted attack on a specific person containing information likely to cause them to act
- Whaling: a spear-phishing attack directed at C-suite or executive level employees
- Vishing: social engineering phone calls made through traditional or VoIP phone lines
- Smishing: phishing attacks using text messaging as the attack vector instead of email
These are only four of the most common methods of social engineering or phishing attacks. The possibilities are endless. The notorious grandparent bail payment scam is a straightforward vishing attack, and even the ever-popular Nigerian prince email scam is easily modified by replacing the prince with a real estate purchaser trying to make an escrow payment to a law firm.
How To Prevent Phishing Attacks
Since these attacks all target your human capital, you have to invest in periodic training to keep them up to speed on the threats they may face. Making sure your IT security patches any holes in your system will also go a long way toward shoring up your defenses. Here are 8 specific ways to show you how to prevent phishing attacks against both yourself and your small business.
Never Share Your Credentials
Never. Period. This can’t be overstated. Whether over the phone, through text message, or in an email, no legitimate company or representative will ever ask for your login credentials to be sent to them. That is an immediate red flag that you’re being targeted by a scammer.
Pay Attention to Language
Is the message attempting to convey a sense of urgency, perhaps needlessly? And let your inner grammar snob thrive. Many of these scams are carried out by non-native English speakers. Grammar and spelling errors are another major clue to an inbound phishing attack.
Be Wary of Password Reset Emails
Never click on links in a password reset email. Actually, never click a link in an email that you weren’t expecting in the first place. Even if you were expecting the email link, hover over it first to see if the displayed target site matches the anchor text or not. When it comes to banking or other account login emails, travel directly to the site in question through your browser on your own, and only then should you log in and check your account.
Install a Basic Ad Blocker
Pop-up ads are another threat vector that can literally pop up on a trusted website. Embedded malware on an unsuspecting site can allow pop-ups from cyber criminals that appear to be legitimate and may dupe you into thinking you need to log in again or take similar compromising action. The actions of some ad blockers may cause a phishing website to appear incomplete or otherwise suspicious, and this can aid in your recognition of a possible attack.
Use Updated Antivirus Software
Along with the ad blocker, you’re going to want to add antivirus software as another layer of protection for your systems. Keeping this software up to date is a must. New threat vectors are coming out as quickly as the bad actors can come up with them, and a small investment in your security posture can pay dividends by helping you avoid phishing attacks. This antivirus software can block malware, and keyloggers, and help to detect suspicious sites. It isn’t foolproof, so it’s best used in conjunction with our other suggestions here.
Use Multi-factor Authentication
MFA can help thwart log-in attempts if someone should find themselves in possession of your credentials but only if you don’t share that code. Multi-factor authentication can be successful with both text messages and a stand-alone authenticator app. If you were to use email as a secondary authentication method, then we recommend using a second account not otherwise tied to your credentials for that site.
Inspect URLs
Look to make sure that the URL matches the site that you were attempting to visit and that it’s spelled correctly. Also, check for the small lock icon next to the URL, and you should also verify that it starts with “HTTPS” if it’s supposed to be a secure site. Some phishing sites are able to display the lock icon despite their nature, so again, it’s recommended not to just rely on this method alone.
Be Alert
Share examples of recent data breaches. Encourage your employees to put security first. Don’t share personal information, and most importantly, don’t become complacent. That is when attackers succeed.
Now, these were just a few examples of how to prevent phishing attacks, but if you’re looking for other ways to maximize your sales as a small business owner, we specialize in just that here at E-Marketing Associates. We’re so confident that we can help you achieve your goals and increase sales that we even offer a free online business report that shows you how your business stacks up against your competitors.