More than 200 billion emails are sent and received each day worldwide. It is within this huge volume of communications that spammers who engage in “phishing” are attempting to scam unsuspecting victims into divulging important personal or company information. While most people are aware of phishing, an untold number of victims continue to fall for scams each year due in part to more sophisticated schemes used by scammers. So, it’s wise to periodically refresh your understanding of phishing and the consequences.
Phishing is a form of “social engineering” that uses human interaction and trust-building, rather than strictly code-based attacks, to steal passwords, account numbers and other sensitive data. These emails may appear to come from social websites, banks, online payment processors, or even your company’s internal IT department. They may even appear to come from a specific user. The websites they direct you to can also look completely legitimate. The bottom line is that the spammer wants to create an environment that looks familiar and reassures you.
Phishing Scams in the News
Once a phisher finds a way through a company’s security, the damage can be extensive, as demonstrated in some recent attacks.
Target – Lost 110 million customer and credit card records when a subcontractor was phished.
RSA Security – Breached data resulted in the theft of master keys of all RSA IT security tokens and subsequent access to the information of U.S. defense suppliers.
Home Depot – Lost personal and credit card data of more than 100 million customers.
Common Phishing Scams
Scam artists come up with new ploys every day. Here are some of their common tricks.
- Phony emails from the "fraud department" of a well-known company that ask for information verification because they suspect identity theft
- Emails that take advantage of a current event, such as the Anthem data breach, which scammers used to send phishing emails with malicious links for "free credit reporting"
- IRS data-entry phishing emails that impersonate the IRS
- Payroll-themed attacks that utilize a sense of fear and urgency
- Messages from the recipient’s attorney encouraging them to click a link to learn more about sensitive information
Easy Tips to Protect Yourself from Phishing
Phishing scams only work if you give the scammer a way through your security. Follow the tips below to beat scammers at their own game.
- Don’t send sensitive personal information via email. Legitimate organizations will never ask users to send information this way.
- Never click links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original. Review the address bar to make sure you are on the appropriate website.
- Don't get pressured into providing sensitive information. Phishers like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm authenticity of the request.
- Only open an email attachment if you are expecting it and know what it contains. Be cautious about container files, such as .zip files, as malicious files could be packed inside.
- Contact the organization directly if you want to verify a suspicious email, but don’t call the number that is provided in the email.
- Use discretion when posting personal information on social media. This information is a treasure trove for phishers who will use it to feign trustworthiness.
- Watch out for generic-looking requests for information. Fraudulent emails are usually not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with "Dear Sir/Madam," and some come from a bank with which you do not even have an account.
As phishing scams become more elaborate, we all must be more vigilant. If you feel you have fallen victim to a phishing attack at work, take immediate action. Notify your company’s IT department and your manager. The quicker you respond, the less damage a scammer can get away with. In the case of being phished for your personal information, contact the companies you do business with, preferably by phone.
Jason D. Anderson