One of the weakest points of any cybersecurity system is the humans involved. Many strategies exist to trick individuals into giving access to their company’s network. If your system has robust security on the network itself, the easiest way for a malicious actor to gain access isn’t through that security—it’s through the humans who work at your company.
Attacks of this type are called social engineering. They rely on a knowledge of how humans usually behave to manipulate people into giving up passwords or downloading malware. One of the most common methods of that is phishing, along with its many variants.
What Is Phishing?
Phishing is the practice of sending malicious emails disguised as communications from a legitimate, trusted source. For instance, an individual might receive an email that appears to be from their bank, prompting them to log in on the website to solve some time-sensitive problem. However, the link within the email takes them not to the bank’s login page, but to a spoofed version of it which looks exactly the same. When the person tries to log in, the website records their username and password for the phisher to use for their own purposes.
Recognizing Phishing Emails
While email providers do what they can to flag suspicious-looking emails, it is not always possible for software to tell the difference. In that case, it’s up to the potential targets to assess emails before clicking on any links. For instance, ask these questions:
- Do you recognize the sender? Is this the address they usually email you from—correctly spelled?
- Is the subject something that seems like it could be a scare tactic—a warning that your account has been compromised, that compromising pictures of yourself are being shared publicly, or that you are in trouble with the law?
- Does the email contain unexpected attachments?
- Is the email cc’d to many people, but you do not know who the other people are?
- When you hover over the hyperlink, does it reveal the address of a completely different website? Does the link contain a tiny misspelling or unusual punctuation?
In general, one simple practice that can keep you safe from phishing is not to click on links in emails, but to navigate to the website on your own. If the email claims to be from your bank, for instance, open a new tab to log in to your bank’s website without using the address in the email. Or call your bank and ask if there is a problem. Very often, there will be no sign of the issues the email mentioned.
Smishing
Phishing has many variants. One common one is smishing—phishing through SMS messages. Sending phony messages by text instead of email comes with two main advantages for scammers.
First, people are more likely to click on links that come in a text. Since texts come with character limits, many organizations have gotten in the habit of sending brief messages with a link to access the rest. These links are often shortened to make them unrecognizable, and unlike in emails, you can’t see the full link by hovering over them.
Second, when emailing an individual within a company or organization, scammers have to pass through the cybersecurity the company network provides. But employees’ phones are often personal devices with no special security measures.
The best approach to avoiding smishing is twofold: both improving mobile security and training humans. Improving security measures on mobile devices can block a number of smishing texts before they even arrive. But training employees remains essential, so that no matter what slips by, the human recipient will know how to recognize and respond to smishing threats.
Spear Phishing
Probably the most worrisome variant for business owners handling sensitive material is spear phishing. Spear phishing is a type that is specifically targeted to the recipient. The sender takes significant time to choose a target and research their social media and work information. Then they craft an email that will look, as much as possible, like a message from someone the target knows.
Employees who handle secure data are likely targets for this kind of attack. Therefore, they must be trained to check for warning signs:
- A different sender address than a sender usually uses
- A suspicious domain ending in something other than .com, .org, or .gov
- Urgent messages which claim to be important and time-sensitive
- Unsolicited attachments
- Hyperlinks that lead to a login page
Meanwhile, robust network security measures are also vital. Your system needs to be able to flag suspicious messages by examining the metadata. Attachments should be automatically scanned for malware and analyzed more deeply if they show warning signs.
Avoiding Phishing Scams
Where social engineering attacks are concerned, forewarned is forearmed. All of these methods are based on the assumption that humans will act in a certain way: panic at bad news, quick and careless reactions when something seems urgent, trust when they think they are dealing with a friend. But humans who are trained to recognize and resist these attacks react differently. When an incoming message starts pulling the strings of panic or urgency, trained employees will know to slow down and look more closely instead.
Cybersecurity technology constantly develops new tools to detect phishing emails and texts. A robust network blocks most phishing emails before they even arrive and protects itself against malware and foreign intrusions. Building a secure network is a complex and ever-changing task. Mission Compliant can make your business’s network secure as well as recommending policies and workflows that will prevent human error. Our decades of combined cybersecurity experience have prepared them to recognize every kind of security gap—and show you how to repair it. Contact us to find out what we can do for your business.
