If you’ve been following our Phishing series you’ll remember that we’ve previously discussed What Phishing Is and How to Decrease Your Exposure. For our third and final blog in this series, we’re going to discuss the number one thing that every person can do to decrease the chances of a successful phishing attack.
That is to increase your security awareness.
The threat landscape is always adapting and changing with bad actors trying to use the latest and greatest tricks. But if you subscribe to a few core awareness practices, you can decrease the likelihood of falling for a phishing scam.
Our goal isn’t to sound like a broken record, it’s just that this fits with both decreasing your exposure and increasing your awareness.
We’re often asked by our clients why we recommend blocking things like webmail sites on business networks. It isn’t because we’re trying to play hall monitor and make sure you are working. It’s important to have a clear delineation in your mind (and devices) between emails sent to your business email account and those sent to your personal account. This limits confusion that can occur when you have multiple email windows open.
As we’ve mentioned, we also recommend that you avoid using your work email for any personal accounts like shopping or social media. That way when you receive that email notification that claims to be from Facebook to your work email, you know you should just delete the email and move on as it is almost certainly fake.
If you are checking both your work and personal emails on the same machine while you are at work, even if they are in separate programs, testing has shown you are much more likely to blur those lines and not even think about the fact that the email came to the wrong account.
When you get an email, the FROM line is one of the first places you should be paying the most attention. In some email clients, you may have to hover your mouse over the FROM or double-click it to see the actual email address behind it. If you see an email from “Chase Bank”, but the actual email address behind it is bobhacker@gmail.com, then that’s a big red flag.
However, sometimes it’s not quite that obvious. We’ve seen very targeted phishing emails where the attackers have specifically gone to the trouble of creating a brand-new domain, that is close to the legitimate domain, just for the purpose of sending the email.
Take our domain here at LammTech as an example. How hard would it be for you to notice the difference between an email sent from noreply@lammtech.com and one sent from noreply@lanmtech.com? We’ve seen a specific instance where the “target” company has double S’s in their domain name. The attacker registered a new domain that was the same except with three S’s instead of two. For the purposes of our example, we’ll call the target company’s domain wellnessproducts.net. How hard would it be to spot the difference between that and wellnesssproducts.net?
If there is any question in your mind about whether an email is suspicious, always ask for a second set of eyes to take a look!
Always be suspicious of links in emails. The nature of how links are “coded” in an email makes it extremely easy to hide the real destination of a link. The text may say https://www.eBay.com but when you click on the actual link, it may be taking you somewhere completely different. Most email clients have a feature allowing you to hover over the link text to show you in a pop-up window what the actual link is. This can be helpful, but still not always foolproof.
Many of us have received an email with a link that requires us to then sign in. These often look like applications or programs we use, so we don’t give it much thought. We’re always going to recommend that you stop and think twice! You can open a new web browser window and type in the address of the site yourself. You should be familiar with exact websites of places like your bank, credit card, etc. Typing in the address yourself instead of using the link can help to ensure you’re using a legitimate site.
You shouldn’t rely on Google searching the bank’s website and clicking a link there, as that may not take you to the legitimate site either. A hacker can use the same tools your business would to get their spoofed site to the top of Google’s rankings.
Anytime you are about to type in your username and password to sign into any service, verify that the address bar of the browser shows what you are expecting it to. If your company utilizes Microsoft 365, we highly recommend asking your M365 administrator to customize that login page. While this doesn’t prevent an attacker from duplicating the login page customization, it does at least add one more step that the attacker must take to fool users.
True security awareness requires constant vigilance and ongoing education. Attackers are always finding new ways to attempt to fool users. As a recent article by Mathieu Gorge in Forbes Magazine worded it “Cybersecurity is a journey, not a destination.” Educating users about security awareness is not a one-time process. To be successful an end-user security awareness training program needs to be ongoing, and updated regularly, to address new threats. As we mentioned earlier, the weakest link in any security chain is people. The best way to strengthen this weak link is continuing education. Learning about threats, how to recognize them, and what to do when they encounter them.