Cybersecurity is one of the hottest issues in today’s workplace. Every employee must adhere to their company’s cybersecurity best practices, such as protecting data and using strong, effective passwords. Equally as important is being aware of the more common cyber attacks, especially phishing.
Phishing is a cybercriminal’s attempt to obtain sensitive company data or your personal information by representing themselves as a legitimate party in an email. A phishing attack could result in the loss of important company information as well as personal usernames, passwords, credit card numbers, or identity theft. If you have any questions at all about the legitimacy of an email, do not click on any links, and do not respond. Contact your security office for further instructions. It is important that your company leaders are aware of all attempted attacks as they are involved in annual Cybersecurity Budget Planning.
You have likely received one or more of the following phishing emails:
1. Classic Phishing Emails
A deceptive phishing email is typically used to obtain personal information or login credentials. A classic example is the tech support scam. We have all received them – from Microsoft, PayPal, Apple or any other company that we have accounts with. At a glance, they look legitimate and are usually pretty alarming with wording such as “we’ve detected something unusual” or “we’ve temporarily suspended your account”. But if you look closer, it is not difficult to tell that it is fake because it will likely include:
- A generic greeting as opposed to personalized
- Grammar and spelling mistakes that simply would not occur in a professional email
- A non-recognizable web address when you hover over the links
If you are at all suspicious, do not click on any of the links, and certainly do not enter any personal or company information.
2. Infected Attachments
Email attachments are a common way for cybercriminals to obtain your personal and login information. Attachments may be .doc or .js but the most dangerous are .html attachments. They are often overlooked by antivirus software, as .html is not usually associated with phishing attacks. Further, because you are used to seeing .html attachments from your bank or credit card company, you might be likely to open the attachment without giving it a second thought. Do not open attachments unless you are expecting one and, even at that, a phone call to confirm that it is legitimate is a good idea.
Another type of infected attachment used in phishing attacks is macros with payloads. A macro is a crafted script that runs in the background of Microsoft software. You never even know it is there, and the payload is the ransomware that it hopes to install on your computer. The key is to keep your macros disabled and do not enable them unless you verify the attachments are not harmful.
3. Social Media Exploits
Several social media sites have been the target of attacks. Many Facebook users have received messages in their Messenger account from the account of someone they know. Clicking on the attached image file could result in the installation of malware on your computer. Even though it appears to have come from a friend, do not open any Messenger attachments without confirming that it is legitimate.
LinkedIn is also a popular target because of the vast amount of personal and professional information it contains. The hackers use this data to craft emails allegedly from your bank or other financial institutions. Be careful and limit your personal information if possible.
4. CEO Fraud Scams
CEO Fraud is an attack in which the cybercriminal impersonates a company executive and instructs employees in Human Resources or Accounting to send out confidential information or to make an unauthorized money transfer. Unless you had prior notice of this request, always confirm before acting.
These are just a few of the more common phishing exploitations you might encounter, both in your personal and professional life. Be aware and, if you have any concerns, confirm before acting.