Most, if not all, of us have heard the most famous phishing story of them all: how the ancient city of Troy, after ten years of war, finally fell after a raiding party was allowed into the gates by hiding in the belly of a constructed wooden horse. It’s true… the legend of the Trojan horse, already associated by name with a nasty cyberattack, is arguably also a cautionary tale about how effective phishing can be.
Let’s go over how you can help protect your business from falling for this truly classic ruse.
What is Phishing?
As (hopefully) a refresher, phishing is the use of subterfuge and misrepresentation—rather than programming—to manipulate a target into acting exactly how the cybercriminal needs them to act. Frequently seen in email format, phishing can present itself in any form of communication.
Keep this in mind! While the following examples will focus on email-based phishing, every kind of phishing attack follows a somewhat similar playbook; it will just be presented in a different format. Phishing is phishing, whether it comes in the form of an email, a physical letter, or even a phone call.
Common Tropes in Phishing Attacks
Urgency
An attacker doesn’t want you to think rationally when you receive a phishing email. They want you to give in to your baser instincts and skip any critical thought, just reacting to what they say. One highly effective method they frequently employ is the use of urgency, such as claims that you need to act immediately to prevent a dire issue.
Any time you see this kind of extreme and fear-mongering language, you should immediately go on the alert.
Overly Generic Greetings
Similarly, businesses are less and less likely to use overly generic greetings. Why would they? They likely have your contact information, and connecting with an audience through personalization is Marketing 101.
By extension, a super-generic greeting is a sign that the person reaching out doesn’t have an existing relationship… as a scammer likely wouldn’t.
Unknown Senders
Many phishing attacks attempt to identify individuals with whom you may be communicating and either pose as a member of that organization or one that operates in the same field. Pay attention to the address a message was sent from… does it match others that come from the organization that apparently sent it? If not, reach out via a different, confirmed means of communication to verify its legitimacy (or, unfortunately, lack thereof).
Suspicious Links
Similarly, spoofed messages will often have links that direct you to websites that the scammer controls, where they hope you’ll hand over the legitimate credentials for them to steal. A good way to spot links that don’t go where they claim to is the hover test. By hovering your cursor over the link (crucially, WITHOUT clicking), you can see the real destination of the link at the bottom corner of your window. If it doesn’t appear to match what the message suggests it does, don’t click.
Unexpected Attachments
Likewise, email attachments can often be used to deliver an attacker’s payload, disguised as invoices or other common enough attachments. Again, you and your team must refrain from clicking on any unexpected attachments without verifying their legitimacy through a secondary form of communication.
You and Your Team Need to Act Like a Human Firewall
How can you accomplish this? In a word: training.
Think of it this way: you can implement whatever you want to as a protective measure, but you won’t really be protected if your team isn’t taught how to resist the threats that are focused on them. We can help shore up this vulnerability.
By combining modern security protections with team training and evaluation, Lantek can help you foster a company culture that has its roots in security. Interested in learning more? Reach out to us at (610) 683-6883 to learn more about what we can offer your business.