By Kevin Hutchinson, CISSP
According to a recent study, more than 91% of all phishing attacks in 2016 targeted five industries: financial institutions, cloud storage/file hosting services, webmail/online services, payment services, and ecommerce companies. That is an eye-opening statistic that should make everyone nervous, especially given that as consumers these are industries we share our personal information with regularly.
Hackers have a specific goal: get information from you that you might not otherwise reveal willingly. They do that through several means, the most common of which is phishing. With the explosion of social media and more sophisticated phishing techniques, it has become increasingly difficult to protect yourself from the online threats that await your anxious click.
As a CISSP, I’ve seen the impact that phishing scams and subsequent data breaches can have on organizations. A 2017 study shows the average cost of a data breach for a U.S. company is now approximately $7.35 million.
If that sounds like a number you can’t afford, consider sharing this blog post with your employees and colleagues to help keep you and your data safe from email phishing schemes.
Don’t open an email from someone you don’t know. This may sound obvious, but hackers are pros at developing a carefully crafted email that appears to come from a valid source, such as a bank, big box store, or online retailer. But if you have never done business with them, then how did they get your information? Emails like this should be an immediate red flag. In most cases you are better off simply deleting the email.
Don’t “click here.” A common phishing technique is to embed a link in an email that on the surface looks legitimate and will take you to the company’s site. Yet, in most phishing cases the link will direct you to a URL that is operated by the hacker, although the page or pages are designed to look exactly like a legitimate web site. Instead of clicking on the link provided, go to the company’s main page and look for what is described in the email.
Don’t click “unsubscribe.” This is an extremely tricky tactic since most people are willing to hit an “unsubscribe” button within an unwanted or unfamiliar email. The reality is that hackers intentionally send you multiple emails to get you to click “unsubscribe” from the service to supposedly stop the emails. The unsubscribe link provided is a method commonly used to deliver malware or other mischievous payload to your computer, and it is also a method that spammers use to validate an email address.
If the site is legitimate, they will have a validated method for unsubscribing from their email list, so try searching the company’s web site for subscription settings instead. If that doesn’t work, you should be able to flag the email as spam or add the sender to your “blocked senders” list.
Safeguard your information. Never willingly give information to someone without some way to verify who they are and the reason they need the information. No company—not even your bank or other financial institution—should never ask you for your password, social security number (SSN), credit card number or other personal data via email. It is not unusual for companies to ask for the last four numbers of your SSN or a PIN code for verification, but that is the most information you should provide even to a credible source. Again, be sure to verify who they are before you give them any information.
Phishing through email and social media does not appear to be going away anytime soon, and hackers are finding new and more creative ways to extract information from people. As a leader in cybersecurity, IGI is here to help educate people in ways to safeguard their data.
Let us help protect your data today with a customized cyber awareness training plan, vulnerability assessment or system audit. IGI provides these solutions and many others, so reach out today to share your security concerns and we’ll help you solve, simplify, and secure.