As your customers work from multiple locations including the office, home and on the road, it is easier than ever for cybercriminals to trick them into falling for a phishing attempt. You can help your customers avoid being a victim by sharing these seven tips on how to spot them.
What is Phishing?
A phishing attack is a type of cybersecurity threat that targets users directly through email, text or direct messages. During one of these scams, a cybercriminal will pose as a trusted contact to steal data from an unsuspecting user such as login information, account numbers and credit card information.
While there are several types of phishing, the main purpose behind all of them is it to steal sensitive information or transfer malware. Here are three of the most common phishing attempts.
While many phishing attempts use spam-like tactics to reach thousands of emails at once, spear phishing attacks target specific individuals within an organization. Hackers customize their emails with the target’s name, title, work phone number and other information to trick the recipient into believing that the sender somehow knows them personally or professionally.
Whaling is a type of spear phishing that targets CEOs and other high-level executives. These are high-value targets since they often have unrestricted access to sensitive corporate data.
BEC (Business Email Compromise)
BEC attacks are designed to impersonate senior executives and trick employees, customers or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report, BEC scams were the most damaging and effective type of cybercrime in 2019.
7 Tips to Spot a Phishing Attempt
Cybercriminals are becoming more creative when designing phishing attempts. Share these seven tips on how to identify potential phishing attempts with your customers to avoid falling for them.
1. Assume every email is a phishing attempt
Your customers should take a “trust no one” approach when opening email. Encourage them to consider implementing Zero-Trust Network Access to secure connectivity to private applications to reduce exposure to applications on the internet.
2. Check and verify email addresses
One of the easiest and most effective ways to prevent phishing is to have users check and verify the “From” address of the email. This practice should be done every time an email from a bank, payment service, retailer or government agency unexpectedly arrives, especially to a work email when it hasn’t in the past.
3. Read emails carefully
It may sound obvious, however, by carefully reading the email copy, users can typically spot something that seems “off” including:
- An email with an “urgent” request
- An email offering the user something that’s “too good to be true”
4. Check grammar and spelling
Poor grammar and misspelled words in an email can be red flags. Formal communications from a bank, credit card company or IRS do not contain these errors. If something about the tone of voice in an email seems unusual, it’s most likely a phishing attempt.
5. Look for your name
Be wary of generic salutations in an email. Legitimate companies, especially those with which you have accounts or have done business typically will address you by name versus by a generic greeting, i.e., “Dear Madam.”
6. Watch out for emails containing unusual requests
Encourage your clients to look for any unusual or odd requests in their emails. Most fraudulent emails contain a request to respond to the email or click a link in it.
7. Be wary of links and attachments
The goal of cybercriminals is to get users to click on links or attachments. However, doing so can result in an automatic download of malware. Avoid clicking links or attachments in emails from unfamiliar sources. When in doubt, mouse over the link or attachment to see the full URL or document title to determine if it is legitimate.
Phishing attempts account for the majority of malware and ransomware attacks. In addition to these seven tips, you can boost your customers’ security knowledge with Fortinet’s Security and Awareness Training. This SaaS-based offering helps IT, security and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks, including phishing.