Did you know that upwards of 85 percent of all organizations today have been victims of some type of phishing attack? And with the average cost of a successful phishing scam ringing in at around $1.6 million, the problem is very real. What’s more, it’s not just everyday employees being targeted. In fact, 1 in 3 companies are routinely attacked in the form of CEO fraud emails.
These statistics should bring to light the critical importance of protecting your organization – regardless of size or industry – against potential malware attacks, and as always, the best defense is a good offense. To prevent your employees (particularly those in the C-suite) from being bested by a hacker, here are things to train them to watch for.
Poor Grammar and/or Spelling – One of the first clues that a particular message might have been sent with malicious intent is the quality of the content within. While most monitoring programs successfully filter out most harmful emails, some will inevitably sneak by. A message from an unknown sender containing poor grammar, misspelled words or content that isn’t logical should raise some red flags.
Mismatched URLs – The goal of a phishing campaign is to give the appearance of authenticity in order to convince the recipient that it’s ok to open an attachment or click on an embedded link. In the latter, the URL may look completely legitimate when, in fact, it actually redirects to a malicious site. To avoid this, all employees should be encouraged to hover over URLs to verify that the actual hyperlink matches.
Misleading Domain Names – Another trick many hackers use in phishing scams is to use misleading domain names to make unsuspecting recipients believe a URL is trustworthy. This can easily be identified by how the URL is laid out. For instance, a phishing artist may attempt to trick a victim by creating a child domain with a familiar name, such as Apple and then linking it to a malicious site. The result might be something like: Apple.malicousdomainname.com. Educating employees on how DNS naming structure works can help quickly detect and address any potential fraudulent messages before they are successful.
Requests for Personal Information – Regardless of how official an email may appear, if the message contained within requests personal information, proceed with extreme caution. Remind employees to always take a step back and assess the logic of these types of messages. Banks or credit card companies don’t need customers to provide their account numbers. Likewise, reputable senders will never ask for things like passwords, credit card numbers of anything else that’s confidential in nature.
Unsolicited Contact – If receiving an email filled with lofty promises seems too good to be true, it probably is. Furthermore, if you didn’t do anything to initiate the contact in the first place, it’s almost certainly going to be some type of scam. Any such message should always be regarded with suspicion and great caution.
Messages Containing Threats – While most phishing campaigns lure victims with the promise of enrichment, some hackers resort instead to rely on intimidation tactics to scare recipients into giving up sensitive information. For instance, an email like this might appear to be from a trusted and respected sender, such as a bank or the IRS, and it might contain a message threatening account closure or asset seizure if money or personal information isn’t provided. These types of intimidating messages should raise a red flag.
Something Just Doesn’t Look Right – Last, but certainly not least, intuition can often be enough to flag a potentially harmful email. Teach employees that if they receive a message that gives them pause, for whatever reason, they should trust their gut and escalate it accordingly. After all, it’s always better to be safe than sorry.
Are you doing enough to protect your organization against phishing and other malicious campaigns? Educate your employees on what red flags to watch for and remind them to never click on a link or open an attachment from an unknown or suspicious sender. Then, fortify your cybersecurity incident response strategy with automation.