The world is continuing to focus on the health and economic conditions surrounding the Covid-19 pandemic and cybercriminals are using the distraction and the shift of many workforces to remote working as a means to prey on organizations of all sizes.
One way that cybercriminals are targeting businesses is by phishing users who are working from home and may not be as actively thinking about avoiding phishing as they are in the office. Not only are criminals preying on distracted minds, they are also using specific emails and phishing attempts related specifically to Covid-19 to target individuals and businesses. Google reports that in addition to it's 100 million phishing emails blocked every day, they are recently seeing 18 million daily malware and phishing emails related specifically to Covid-19. It is now more important than ever to continue to educate your team on how to avoid falling victim to phishing schemes and what to watch for.
In an effort to help you remind your users to watch out for phishing and spoofed emails we have compiled a list of things to have your team watch for when sending and receiving emails. We suggest you forward the below information on to your team so that they keep phishing top of mind and you avoid a devastating security breach in the midst of these uncertain and stressful times.
Send the below information to your entire team:
What is Phishing?
Phishing is an attempt, by criminals who pose as a legitimate source, to lure individuals into providing sensitive information. These criminals target individuals by email, telephone, or text message in hopes of gathering personally identifiable information, such as banking and credit card details and passwords. These attempts come in many different forms with attackers masquerading as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. Messages will try to trick victims into clicking a link that asks for login credentials or downloading an attachment that installs malware onto the victim's device.
Phishing is an example of social engineering which is a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying – all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
Recognize Phishing Attempts by Watching for These Red Flags
Request of login credentials – Any legitimate company will not ask for you login credentials via email. If you get any emails that ask for you to reply back with your login credentials (or any other personal or business information) it is always best to go the web browser and go directly to the company's website, login there, and see if you have any messages or notifications. Never reply back with any sensitive information even if the request appears legitimate.
Link included asking for personal information – On a similar note, if you are sent an email that includes a link that asks you to enter any sensitive information (login credentials, SSN, banking information, etc.) it is best to double check with the source before entering any of the requested information. Criminals can successfully trick targets with links by making the landing pages, when clicked, look incredibly realistic and hard to distinguish that you are actually at a fake site attempting to collect information. Again, it is best practice to go directly to the website you are familiar with by entering the address in your web browser and entering any personal information from there, rather than clicking any links that come via email. If you are ever suspicious, reach out to a customer service representative at the company before clicking on a link.
False sense of Urgency created – One way the cyber criminals target victims is by creating a false sense of urgency to trick you into doing something without fully thinking it through. If you receive any emails that are asking you to do a task or give personal information and are being asked to do it urgently, there is a good chance you are being targeted for phishing of your confidential information. It is always best practice to check with the source directly, whether it be a coworker, someone you work with elsewhere, or a company you are familiar with, before acting on any request that comes in via email, especially when a short time-frame is specified.
Spelling/Grammar Mistakes – An easy way to weed out phishing emails is by paying attention to grammar and/or spelling mistakes. While we all occasionally fall victim to making an error when sending an email, phishing emails are often written by a criminal who is not fluent in English and will make errors in his/her spelling/grammar. If an email is pretending to be from a legitimate company or contact and has spelling/grammar issues that stand out it is very likely from a cyber criminal attempted to phish for confidential information.
Includes an attachment or download that was unexpected – If an email includes any sort of attachment or links you to a location to download something it is always best practice to double check before clicking or downloading. Cyber criminals will often infect devices by getting victims to download items that may appear legit but can sit in the background and infect machines and collect information over time. You can go directly to the trusted website via your web browser and download attachments there if possible as well.
What if I may have clicked on a phishing link?
If you do happen to click on a link that seems suspicious contact your IT staff at 1.800.358.7447 right away. Once you have clicked a phishing link, your computer can be vulnerable to ongoing phishing methods and your personal information could be un-secured.