Recognizing and Avoiding Phishing Scams
What is phishing?
“Phishing” is what we call an online scam that attempts to extract information, credentials, or money from you, usually by impersonating someone you trust or a trusted organization like a bank or vendor.
Phishing emails and text messages attempt to trick you into clicking on a link, opening an attachment, or sending proprietary information. Often the return address is the name of a person or company you recognize, leading you to believe the message is legitimate. But there are many ways for you to recognize phishing and to avoid falling for scams.
If you have any question at all that an email might not be legitimate, forward it to firstname.lastname@example.org. If you do this, please send a second email referencing the first one, because sometimes the original forward can be caught in our spam filter. If you accidentally click on an email that you think was not legitimate, please let us know, even if you didn’t enter any information.
Tips for security
– Exercise your Spidey sense. If the request from someone you know is unexpected or unusual, or if the language used in the email is not typical for the person you think the email is from, be alert and extra careful. Verify the message with the sender some other way (call, text, or chat).
– Remember that return addresses are easily spoofed. It’s as easy to put someone else’s return address on an email as it is to write someone else’s return address in the top left corner of an envelope sent through the regular mail.
– Be aware at all times of links you click in an email message. You can hover your mouse over a link to reveal the actual target of that link — if the target is not what you think it should be, don’t click.
– Be particularly wary of any email that links to a website that asks you to enter credentials.
– You are most vulnerable when you are engaged in something new — starting a new job, using a new communication tool, working on a new project with new vendors. Slow down in these situations and maintain extra vigilance until you have established a routine.
– If you receive an email asking to change a method of payment (for example, a new wire transfer number) verify this change either in person or by phone. Never authorize any electronic payments until you have confirmed the authenticity of the request with the vendor directly.
– Protect your computer by installing security software and keeping it up to date. That way even if you download malware accidentally, your computer will be protected.
– Set your phones and computers to do automatic updates to ensure you are taking advantage of the most recent security updates at all times.
– Do not reuse passwords. If one of your passwords is compromised through a phishing scheme, the hacker will most certainly try to use that password to log into any number of other services. (Use a password manager like 1Password to help you keep track of your passwords.)
– Use strong passwords, at least 12 characters long. Length is more important than complexity, so use phrases if you have trouble remembering passwords. “Ilikemexicanfood4lunch” is a much more secure password than “buRR1t0”. (Again, use a password manager so that you don’t even need to remember your long passwords.)
– Enable multi-factor authentication (MFA) on every critical service, starting with your email account. MFA makes it so that even if someone knows your password, they won’t be able to log into your account.
– If you suspect a password has been compromised, change it immediately.
Have I been hacked?
Receiving a phishing email does not mean you have been hacked. Even when the suspicious email seems to reveal information you think is private (a message from your direct supervisor, or a link to a service you actually use), it’s usually because that information is not in fact private — your company’s org chart, for example, can be easily gleaned from your public website or LinkedIn.
If someone else reports that they received a phishing email from you, that also may not actually indicate a true vulnerability. Adding a fake “from” address to an email is easy to do, and does not necessarily mean the email actually came from your email account.
That said, hacks do occur (especially if you use the same password for multiple services and have not enabled MFA). If you suspect your email account has been compromised, go ahead and change your password right away and let Macktez know. There are clues we can look for within your email account to assess the extent of the hack and take remedial action.
What’s really going on?
Phishing is not a particularly sophisticated form of hacking. It doesn’t take a lot of computing power or a special knowledge of code. It’s a modern form of social engineering, where a con artist takes advantage of your trust or inattention.
Phishing can be very broad — someone sends a thousand generic requests from “Dropbox” via email and hopes to get a small return. Or it can be targeted (sometimes called “spear phishing”) — someone looks up information about your organization, spoofs specific email addresses, and makes specific requests that they think will sound more legitimate. In all cases, hackers are just hoping to trip you up, and then will use the information they get to expand their attempts.
What can you do?
There’s no way to stop phishing entirely. But there are ways to reduce the practice, minimize the risks, and assist those who are also trying to block phishing on your behalf.
– Enroll in Macktez Domain Management. By configuring, enabling, and monitoring industry standard tools for email security (SPF, DKIM, and DMARC) Macktez can help ensure that outgoing email using your organization’s domain is not spoofed, providing email recipients greater confidence that messages from you are authentic.
– Sign up for simulated phishing campaigns from Macktez. We can purposely send (harmless) email to your staff every quarter to train them to recognize phishing.
– Click the “spam” button in your inbox to train your email service to recognize illegitimate emails. Large email providers like Google and Microsoft aggregate user feedback to improve their own filters so that these kinds of emails never reach your inbox.