There are many types of computer security threats that businesses need to be aware of, but one of the most serious is phishing. This is a method of duping unsuspecting users into giving up key information, such as user names, passwords, credit card numbers, and more. Phishing can be clumsy or very sophisticated, and only through awareness and education can users be armed with the skills they need to detect phishing attempts.
What is phishing?
As its homonym suggests, this is a technique akin to dropping a line with bait into the sea, waiting for something to bite. The line is an email, often sent by the million to random addresses harvested from spammers’ lists; the bait is a story, one that tries to convince the person receiving the email to perform a task. Phishing is a form of social engineering; it’s a con. It tries to get people to believe that the emails are legitimate, and that the action they direct the user to carry out – generally logging into an account – is valid.
These emails often use subtle threats to hook users. They may say that an account has been blocked, or that an expensive order has been placed on their account, or that they need to log into an account to access messages, photos, or notifications. Some may purport to be from the IRS; others may claim to be from banks. Their narrative suggests that if the user doesn’t go through with what is requested in the email – or text message, as that medium can also be used for phishing – then something bad will happen.
What are the risks of phishing attacks?
The stakes are high. Cyber-criminals want to get some of your personal details to be able to liquidate your bank accounts, access your email, or potentially steal your identity. They also may attempt to install malware on your computer; if you log into, say, a website belonging to what you think is your bank, you may be prompted to download special “security” software.
While it’s obvious that getting access to your bank account, PayPal account, or other financial service is serious, it’s much worse if phishers get your email credentials. They can then use your email to reset passwords on many of your accounts, claiming to have forgotten the password. Those emails are sent to you, but if someone else intercepts the email, they can access many of your online accounts.
How to spot phishing emails
In some cases, this is quite simple. These emails may look legitimate, using a design and logo of a company that the receiver may do business with, but with spelling or grammar errors. Here’s one example of a phishing email I received recently:
I do have a Squarespace site, so my initial reaction was that something might be wrong, but it was easy to spot this as a phishing email. The giveaway is that fact that Squarespace is not capitalized, and that the grammar is wrong (“is been suspended”).
But not all phishing emails contain spelling or grammar errors; in fact, many don’t (such as this or this). Look at the from address; in this case, it was clearly not from Squarespace. Then, hover your cursor over the links in the email, especially the link that the phishermen want you to click to log into your account (because some links may be to the real company’s website). On a Mac or PC, you’ll see the actual address this link goes to; as you can see here, this is not to squarespace.com (I’ve blurred it to not show the actual domain that was used).
On iOS or Android, you can tap and hold a link to see what the real address is. While some legitimate links may go to a company’s subdomains – for example, docs.microsoft.com is a subdomain of microsoft.com – phishing links either go to websites that have been hacked, or to numerical IP addresses (such as 192.168.237.6).
The safest thing to do when you receive an email and you are not 100% sure is to go to that website in your browser, by typing its address or using a bookmark, and see if there are any messages or alerts.
Who is targeted by phishing?
Everyone. If you’ve been using your email address for a long time, you’ve likely gotten at least one phishing email today. Phishing is a scattershot attack; even if a tiny percentage of people fall for this technique, it can be quite lucrative.
But there is another technique known as spear-phishing, where a specific individual is targeted, and the attackers tailor their messages to that person. These emails may seem to come from your CEO, your lawyer, your funders, or other partners, and you need to be much more aware of the risks.
Email can be easily spoofed; in other words, the “From” name on an email, and even its address, can be forged. Carefully crafted spear-phishing uses this along with other techniques to make emails look real. If you ever receive an email seeming to be from someone you know with a link that requests that you log into a website, don’t log in. Check the address in your browser, and if it doesn’t look correct, don’t go any further. Also, don’t open any attachments that come with emails; they can contain malware.
What do you do if you’ve been hooked?
If you have fallen for a phishing attack, it’s hard to know how far it can spread. At a minimum, you should change all your passwords for banks and other financial services, and if you’ve logged into any site giving your email password, change that immediately. And turn on two-factor authentication on any site that allows it; this ensures that someone trying to get into your accounts needs more than just your user name and password.
Contact your company’s IT department and let them know. They will help you ensure that your business is protected – they may make you change all your passwords that you use with your business accounts, for example.
Awareness is key to prevent phishing from being successful. Make sure all your employees know how to deal with this type of attack.
Have a question or feedback about this story? Drop us a comment below.