Phishing is a very wide spread threat today. There are many types including spear phishing and whaling. Phishing attacks take many forms, but most of them involve posing as someone you know and trust. This can be a person or a company.
A common form of this is an email that claims to be from your server administrator stating that you have emails being held and to click a link and log in to claim them. When you click the link, you may be taken to a site that is made to look like the one you expect and be prompted to log in. You will have just given away your email password.
There are a number of account types that are targeted in this way. Imagine if your bank sends you an email saying click here to handle this urgent matter! You might think, “Uh Oh! I better do it right away!”. This is how your accounts can become compromised. Don’t trust the link, and don’t trust the button!
Spear phishing is targeted phishing. This is when a specific individual, or a whole company, is targeted by phishing emails. Generally, the bad actors will start by obtaining as much information from the company’s website as they can. This includes any email addresses listed, as well as the names of any contacts that arelisted on the site. Once this is done, they often implement spoofing techniques.
Whaling is the term used when the phishing methods are targeting the senior executives and other high profile targets. It is a specialized form of spear phishing. Generally, once the scammers have obtained enough information about a company, they will pose as the CEO and request a purchase, or a funds transfer. Usually, the purchase will be some kind of gift card and they will ask for the numbers once the purchase has been made.
WHAT YOU CAN DO!
There are some basics things that will help keep you safe from many, if not all, email threats. The first is to utilize an anti-spam service. There are some habits that you should get into that will also help keep you safe.
AS AN INDIVIDUAL…
- Remember the From field of an email doesn’t always show who actually sent it or who will get the Reply!
- Remember the Reply-To hidden item? Click New or Compose instead of Reply if you are suspicious. Then you know who you are sending to!
- If anything about an email seems out of place, be suspicious!
- If a known and trusted contact sends an attachment or shares a document that seems unusual, DON’T OPEN IT! Find an alternative method to confirm they sent it. Phone or face to face is best.
- Only use the method of logging in to online accounts that you normally use. If there is an issue, there should be a notification waiting for you. If you get an email saying there is an issue with your account, don’t click the link.
- Set up multi-factor authentication (MFA) when possible! MFA makes logging a little more of a hassle but the security benefit is enormous!
- Establish policies! Set and follow rules on fund transfer and purchase requests via email. Phone or face to face confirmation is best, but even clicking New can help here. Except if the requesting email address was compromised…
- Establish protocols. When you begin doing business with another company ask them if, and how, they send documents via email. Include
- Is it an attachment? Or a shared online document?
- What type of document?
- What email address will it arrive from?
- Are they sent on a schedule?