The people who send phishing emails are clever email marketers. They get a user to engage and they do this by preying on your emotions and what’s familiar.
One of the ways to avoid this scam is by exercising vigilance and trusting your instincts. If something feels off, it probably is. The whole point of phishing (and its more tailored and targeted counterpart spear-phishing) is to get you to do something that doesn’t raising alarm bells, so you do need to practice skepticism even when things seem fine. You should generally be reluctant to download attachments and click-links, no matter how innocuous they seem or who appears to have sent them.
One of the most important things you can do is when something is being asked of you, when there’s some sort of call to action, think about the context of what the sender is asking you to do. If there’s a sense of urgency that’s when you should be a smart skeptic and slow down.
Anti-phishing training works and it helps everyone to be better at avoiding phishing attacks than when they haven’t had a lesson in a while, or at all. Ask us about our Anti-Phishing training.
Consider the Source
This is particularly important and difficult now that attackers can send spear-phishing emails that look like they are from your clients, vendors, Google and even Microsoft. Things get even more complicated in cases when the messages are from legitimate sources, because attackers have taken over a real email account and are phishing from it.
We have been told for years don’t click emails from someone we do not know but attackers are originating their phishing emails from people you know. Why wouldn’t you click an email from somebody you know or communicate with on a regular basis? Attackers use that technique to compromise your email and propagate malware and ransomware.
So what can you do? Scrutinize the address where the email is coming from and the text of any URLs it contains to weed out email@example.com from firstname.lastname@example.org. If the source is legit, but the text is out of character, ask yourself, “Would my client, vendor or co-worker really send me this email?”. Check for typos in an email subject or body. Again, if something feels wrong about an email that someone you know sends—especially if it has a request in it—bear in mind there’s a distinct possibility they’ve been hacked. Reach out to them separately and ask if they sent you an email.
If you get an email that appears to come from Microsoft asking you to click a link to change you password, or to activate your account because it is about to expire, or you are suspicious of any emails forward it to IsItSpam@SiRON.ca so that we can investigate and advise you.
Best Practices to Avoid Phishing Scams
- Get Anti-Phishing Training for yourself and your employees
- Do not trust email links
- Do not download and open unsolicited attachments
- Never share your password with anyone
- Never enter your account and password into a link that was the result of a link you clicked in an email
- Change your passwords often
- Never enter sensitive information in a pop-up window
- Look for HTTPS and not HTTP when logging into a site and entering sensitive information
- Have multiple copies of your data backed up
Never hestiate to send us an email at IsItSpam@SiRON.ca when in doubt.