Call now for cybersecurity help: 888-646-1616

Adelia Risk's Guide to Phishing

What is phishing?
How can you protect your data at home and work?

Phishing is the #1 cause of data breaches. Even with all the technical protection in the world, phishing emails sneak in. Protect yourself and your company by learning more about phishing and how to spot phishing messages.

What is phishing?

Phishing is a cybercrime where you are tricked into clicking a link or giving up personal information, such as credentials or credit card numbers.

Phishing emails can seem obvious when they are riddled with typos and grammatical errors. But they can also be sophisticated, convincing and incredibly hard to detect. There are various types of phishing, including whaling, spear phishing, smishing, vishing, angler phishing and more.

Phishing attacks can be devastating to organizations of all sizes. The implications include financial costs, user downtime, reputation damage, loss of intellectual property, loss of revenue and clients, lost data and more.

Types of Phishing Attacks

It’s important to understand the various phishing attacks and how to identify them.

Email Phishing

Typically, when you think of phishing, you think of email phishing. Hackers impersonate known brands or people to try to convince people to give up information or click a certain link.

Smishing

Smishing is a phishing text message. Typically, they will include a link that installs malware when clicked.

Whaling (CEO fraud)

Thanks to sites like LinkedIn and company websites, cybercriminals can easily find the name and email address of CEOs or senior leaders intending to impersonate that person. The impersonated leader will often ask for money transfers, gift card purchases, or ask to review a PDF.

Spear Phishing

Spear phishing is similar to whaling, as it involves cybercriminals doing some research to create targeted phishing emails. Hackers could use specific information such as age, location, interests, employers, friends, and family to trick you into thinking they are trustworthy.

Vishing

Vishing is voice phishing. These are phone calls with the intent of tricking you into giving away personal or financial information. For example, many people receive vishing calls from persons claiming to be from the Internal Revenue Service and give away their social security number or credit card number.

Angler Phishing

Angler phishing involves social media. Perhaps you’ve gotten a Facebook message from a friend that just says ‘Is that you?’ and a link to a video. That video link is most likely malicious!

What kind of data is typically compromised in a phishing attack?

- Credentials: usernames and passwords
- Personal data: addresses, phone numbers, social security numbers
- Internal data: sales figures
- Medical data: insurance claim information
- Banking data: credit card information

Why should you worry about phishing?

Phishing is the most common cybercrime and most data breaches involve phishing.

According to recent research from Proofpoint, an email security leader, 75% of organizations around the world experienced a phishing attack in 2020. 

If you are a phishing attack victim, the results can be disastrous. Your information is valuable. Company information is valuable. As phishing attacks become more sophisticated, you need to remain vigilant and carefully review emails for legitimacy.


Adelia Risk’s Top 8 Phishing Prevention Tips

Use email services with anti-spam features

Microsoft 365 and Google Workspace are great options!

Use multi-factor authentication wherever possible

Very important!

Use a service that scans for phishing attacks

We like Proofpoint, but there are many options to choose from

Training for employees

- On-going security training
- Phishing simulation tests

Keep computers and software up to date

Set up auto-update when possible

Keep passwords secure and updated

Password managers make this easy! We like 1Password or LastPass.

Use the hover link method before clicking email links

Know before you click!

Learn the 6 phishing red flags

See below!

Top 6 Phishing Red Flags

Even with the best email security programs, phishing emails are going to get through. Attackers are just that good! Every time you open an email, ask yourself:

  1. Does the email contain an attachment?
  2. Does the email contain a link?
  3. Is the email asking you to do something with money? (examples: wire transfer, buy gift cards)
  4. Does the email have bad or unusual grammar?
  5. Does the email tug at your emotions? (examples: sense of urgency, confidentiality, hardship, pandemic-related)
  6. Is the email trying to make you think you’ve been ‘hacked’? (examples: a password reset you did not initiate, or messages about your computer being infected)
  7. Does the email just ‘feel’ wrong? Trust your instincts!
warning phishing

Common phishing subject lines

According to KnowBe4, these were the most common emails that users received and reported to their IT departments as suspicious:

  • Changes to your health benefits
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent
  • Stimulus Cancellation Request Approved
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  • RingCentral is coming!
  • Workday: Reminder: Important Security Upgrade Required

What to do if you suspect phishing

So what should you do if you suspect phishing? Follow your company’s guidance if they have a policy. Here are some general recommendations:

  1. Figure out who actually sent the email (look at the ‘from’ address or click ‘reply’ to see what email address you’re responding to)
  2. Use the hover link method
  3. Check with your IT person or most-technical co-worker. Send them a screenshot of the email (don’t forward it unless specifically requested by your IT firm)
  4. If the email involves money in any way, pick up the phone to confirm with the sender

Free phishing quizzes to test your knowledge

No matter how good your email scanner is, highly targeted attacks can still get through. That’s why it’s super important to train your staff about phishing.

Here are two completely free websites that can both teach users how to spot a phishing attack AND test whether they would get fooled or not:

Creating a positive cybersecurity culture

Company leaders, this section is for you. 

You can install all of the top-notch technical solutions to combat phishing, but you’d be missing a critical piece of the puzzle. Your users. They are the last line of defense against phishing attacks. So what can you do to help them?

Here are a few ideas:

  • Share this page with them.
  • Talk about phishing.
  • Share screenshots of emails you’ve received that look like phishing
  • Recognize employees who effectively catch phishing emails or perform well with security training
  • No shaming when someone is tricked by a phishing test or performs poorly in training

You do not want your employees to fall victim to a phishing attack. It’s important that your users feel comfortable bringing these sorts of situations to your attention. Empower them to make the right decisions!

Phishing Guide TLDR: Too Long Didn't Read

There are many types of phishing attacks, but they can all devastate an individual or business. Be cautious before clicking any links, and never give personal or financial information unless you are 100% sure it is safe to do so.

Need help with your organization’s cybersecurity? We can help! Contact us today.

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2022 Adelia Associates, LLC | All Rights Reserved
cloud-checklockflagenvelopeusersphonepushpincalendar-fulllaptoplaptop-phonebubbleselectthumbs-up