(888) 646-1616

Adelia Risk's Guide to Phishing

What is phishing?
How can you protect your data at home and work?

Phishing is the #1 cause of data breaches. Even with all the technical protection in the world, phishing emails sneak in. Protect yourself and your company by learning more about phishing and how to spot phishing messages.

What is Phishing?

Phishing is a cybercrime where you are tricked into clicking a link or giving up personal information, such as credentials or credit card numbers.

Worried employee watches security alerts and ‘Your password was stolen’—a phishing attack warning.

Phishing emails can seem obvious when they are riddled with typos and grammatical errors. But they can also be sophisticated, convincing and incredibly hard to detect. There are various types of phishing, including whaling, spear phishing, smishing, vishing, angler phishing and more.

Phishing attacks can be devastating to organizations of all sizes. The implications include financial costs, user downtime, reputation damage, loss of intellectual property, loss of revenue and clients, lost data and more.

Types of
Phishing Attacks

It’s important to understand the various phishing attacks and how to identify them.

Email Phishing

Typically, when you think of phishing, you think of email phishing. Hackers impersonate known brands or people to try to convince people to give up information or click a certain link.

Smishing

Smishing is a phishing text message. Typically, they will include a link that installs malware when clicked.

Whaling (CEO fraud)

Thanks to sites like LinkedIn and company websites, cybercriminals can easily find the name and email address of CEOs or senior leaders intending to impersonate that person. The impersonated leader will often ask for money transfers, gift card purchases, or ask to review a PDF.

Spear Phishing

Spear phishing is similar to whaling, as it involves cybercriminals doing some research to create targeted phishing emails. Hackers could use specific information such as age, location, interests, employers, friends, and family to trick you into thinking they are trustworthy.

Vishing

Vishing is voice phishing. These are phone calls with the intent of tricking you into giving away personal or financial information. For example, many people receive vishing calls from persons claiming to be from the Internal Revenue Service and give away their social security number or credit card number.

Angler Phishing

Angler phishing involves social media. Perhaps you’ve gotten a Facebook message from a friend that just says ‘Is that you?’ and a link to a video. That video link is most likely malicious!

What kind of data is typically compromised in a phishing attack?

  • Credentials: usernames and passwords
  • Personal data: addresses, phone numbers, social security numbers
  • Internal data: sales figures
  • Medical data: insurance claim information
  • Banking data: credit card information
Source

Why should you worry about phishing?

Phishing is the most common cybercrime and most data breaches involve phishing.

According to recent research from Proofpoint, an email security leader, 75% of organizations around the world experienced a phishing attack in 2020.

If you are a phishing attack victim, the results can be disastrous. Your information is valuable. Company information is valuable. As phishing attacks become more sophisticated, you need to remain vigilant and carefully review emails for legitimacy.

Adelia Risk’s Top 8
Phishing Prevention Tips

Tip

1

Use email services with anti-spam features

Microsoft 365 and Google Workspace are great options!

Tip

2

Use multi-factor authentication wherever possible

Very important!

Tip

3

Use a service that scans for phishing attacks

We like Proofpoint, but there are many options to choose from

Tip

4

We're your accountability partner.

– On-going security training
– Phishing simulation tests

Tip

5

Keep computers and software up to date

Set up auto-update when possible

Tip

6

Keep passwords secure and updated

Password managers make this easy! We like 1Password or LastPass.

Tip

7

Use the hover link method before clicking email link

Know before you click!

Tip

8

Learn the phishing red flags

See below!

Need help with your organization’s cybersecurity?

We can help!

Let’s Talk

Top Phishing
Red Flags

Even with the best email security programs, phishing emails are going to get through. Attackers are just that good! Every time you open an email, ask yourself:

  • Does the email contain an attachment?
  • Does the email contain a link?
  • Is the email asking you to do something with money? (examples: wire transfer, buy gift cards)
  • Does the email have bad or unusual grammar?
  • Does the email tug at your emotions? (examples: sense of urgency, confidentiality, hardship, pandemic-related)
  • Is the email trying to make you think you’ve been ‘hacked’? (examples: a password reset you did not initiate, or messages about your computer being infected)
  • Does the email just ‘feel’ wrong? Trust your instincts!

Common phishing subject lines

According to KnowBe4, these were the most common emails that users received and reported to their IT departments as suspicious:

  • Changes to your health benefits
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent
  • Stimulus Cancellation Request Approved
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  • RingCentral is coming!
  • Workday: Reminder: Important Security Upgrade Required

What to do if you
suspect phishing

So what should you do if you suspect phishing? Follow your company’s guidance if they have a policy. Here are some general recommendations:

  • Figure out who actually sent the email (look at the ‘from’ address or click ‘reply’ to see what email address you’re responding to)
  • Use the hover link method
  • Check with your IT person or most-technical co-worker. Send them a screenshot of the email (don’t forward it unless specifically requested by your IT firm)
  • If the email involves money in any way, pick up the phone to confirm with the sender

Free phishing quizzes
to test your knowledge

No matter how good your email scanner is, highly targeted attacks can still get through. That’s why it’s super important to train your staff about phishing.

Here are two completely free websites that can both teach users how to spot a phishing attack AND test whether they would get fooled or not:

Google Phishing Quiz
OpenDNS Phishing Quiz

Creating a positive
cybersecurity culture

Company leaders, this section is for you. 
You can install all of the top-notch technical solutions to combat phishing, but you’d be missing a critical piece of the puzzle. Your users. They are the last line of defense against phishing attacks. So what can you do to help them?

Here are a few ideas:

  • Share this page with them.
  • Talk about phishing.
  • Share screenshots of emails you’ve received that look like phishing
  • Recognize employees who effectively catch phishing emails or perform well with security training
  • No shaming when someone is tricked by a phishing test or performs poorly in training

You do not want your employees to fall victim to a phishing attack. It’s important that your users feel comfortable bringing these sorts of situations to your attention. Empower them to make the right decisions!

Phishing Guide TLDR:
Too Long Didn't Read

There are many types of phishing attacks, but they can all devastate an individual or business. Be cautious before clicking any links, and never give personal or financial information unless you are 100% sure it is safe to do so.

Do you think we might be a good match?

Let’s Talk
888 646 1616