How to Prevent Phishing Emails from Harming Your Workplace
Anyone with an email account is susceptible to a phishing attack.
So, how do you defend against phishing? Watch Mike Maki, Director of Operations for Loffler's IT Solutions Group, explain phishing through fishing:
First of all, what is phishing?
Phishing is what criminal organizations are doing to companies and to people right now. A phishing attack occurs when an email attempts to gain access to your systems and/or your data, including privileged information such as usernames, passwords, credit card data or bank account numbers. Most often, this comes in the form of an attachment or a hyperlink.
So, how does that relate to fishing?
There are several ways criminals use phishing to attack companies and/or people. First, a kind of "low-grade" way to do it, is by casting the net. This is done by casting a wide net and seeing what kind of species of fish you can catch. Or, as it relates to phishing, what kind of people can they capture? Casting the net is a general phishing attack, not aimed at one single person or company specifically. Some examples may be:
- A non-Apple user receives an email asking for an Apple ID
- An email comes out of the blue from a friend or relative's account saying, "Hey check this out!" And asks you to click on a link or open an attachment
There are also specific phishing attacks, such as spear phishing. This is similar to fishing with a spear where you are going after a particular fish or species. You might even have a guide, where you use somebody else to help you get to a spot on the ocean, lake or river. You might also try different lures — ones that may be identical except in color — to test different approaches. These spear phishing attacks are a more targeted version of phishing that is becoming more common. A spear phishing attack involves a lot of research and will include specific information to gain your trust. Here are some examples:
- An email from your manager asking you to click on a link
- An email addressed to you with specific information regarding your company and requesting you to open an attachment
Spear fishing can come in another form when it is targeted at an executive of a company and that is called whaling. An example of whaling:
- An email is sent to the CFO from the CEO and asks to wire funds to an account
How do you prevent phishing emails from harming your workplace?
Defense in depth is your weapon against phishing attacks. When bait is dangled right in front of a fish's nose, they don't always bite, and that should be the same for a phishing attack. Defense in depth means many different things:
- A strong and well-communicated security policy
- Security awareness tools like KnowBe4 that send fake phishing attacks to see if end users click on them (If they do, the end user is sent to educational resources where they learn how to avoid clicking on phishing emails.)
- Modern anti-virus that screens emails and prevents end users from ever seeing them
- Up-to-date firewalls are also key to blocking attacks and preventing them from reaching your end users
Finally, it does not hurt to use some critical thinking. When you receive an email that feels out of the blue, out of place or from an unusual email address, take extra precaution.