Have you heard of phishing? No, it’s not sitting in a boat with a hook and line trying to catch fish, but it is similar. Phishing is the fraudulent attempt to obtain sensitive information or data (such as usernames, passwords and credit card details) by disguising oneself as a trustworthy entity in an electronic communication. You can remember it by thinking of fishing, as where the attacker places a disguise on a “hook” in order to snare you into a trap.
Phishing is commonly done via email, but also is done via social media, instant messaging and texting, among others. Phishing is the most common root cause of all security breaches. No longer are hackers just trying to break into your systems through brute force or a backdoor, but more frequently they are walking in the front door and asking for direct access—and employees are giving it to them!
So how do you protect yourself and your organization? Like with many issues, the best solution is education: Knowing how to identify something as phishing vs. something as legitimate. I suggest a process that my children were taught in kindergarten: Stop, Think, Act.
When you receive a message asking you to do something (like click on a link, send some information, etc.), the first thing you should do is resist the urge to click before thinking. Stopping only takes one second and can save you from tragedy.
Once you have stopped, take a moment to assess the request. This initial process can be used to decide one of three outcomes this request can take: “It is Valid,” “It is a Scam” or “I don’t know.”
If the request is deemed valid, proceed with the process. If it is deemed a scam, ignore it or report it to your IT team. The hardest decision of the three is accepting the “I don’t know” answer. However, not knowing is common, and as an IT professional, it is the one we have to address most often.
How do you decide if it is valid or not, and move away from the “I don’t know” status? You look for red flags. A red flag is an indicator that something isn’t quite right. Your gut is a powerful red flag—trust it! Other red flags include:
- Misspellings, especially in links or email addresses
- An unusual sense of urgency
Three simple questions that we ask in response when we are faced with the question, “Is this phishing?”
Do You Know the Sender?
Is it from a person and/or email address that you know and trust?
Is It Expected?
Did you expect the request to happen, and did it come through all of the proper channels?
Can It Be Confirmed?
The easiest solution to answer the question is to change the channel of communication and confirm the request. If the message came via email, pick up the phone and call the sender through the known phone number (not a phone number included in the email).
If you answer “yes” to all three of those questions, it is safe. Confirming the message through a different channel is the most secure way to validate it, but it does take the most time. Either way, this simple process of quick thinking should protect you and your team from 99 percent of the attacks out there. No amount of technical security can stop an attacker if someone hands them the key. Cybersecurity training should be a part of every person’s security toolkit. Feel free to contact us to learn how to keep your organization secure. Stay safe!