Between work and personal accounts, you receive dozens of emails a day. When you get one confirming a $600 Amazon purchase that you don’t remember making, well, hopefully you’ll realize that it’s not what it seems to be.
Social engineering: the art and science of malevolent persuasion.
Email phishing scams are essentially a con game, trying to convince you to respond with information that can be compiled and used to steal money or do other damage to you or your business.
Most of us are trusting by nature, and scammers can get pretty creative about exploiting that trust. Plus they’re getting better at making their phishing emails look like normal ones from your normal vendors.
Recognizing personal phishing scams.
• Are there any spelling or grammar errors in the email text? As technically adept as they are, online criminals, especially those overseas, can be pretty sloppy with their content.
• Does anything look a bit off in that suspicious email? Perhaps the company logo looks like a copy of a copy.
• Is there a sense of urgency, trying to get you to respond right away? The evil-doers are hoping that busy people will just comply so they can get back to work.
• When you check the email’s From address, is the part after the @ different from the company’s domain, when you look it up directly in your web browser?
• Does the email start with, “We noticed some unusual activity on your account”? If it asks you to log in to prove you are the actual account holder … red flag! Chances are, that email itself is the only unusual activity.
• Does the topic have anything to do with money? Perhaps it’s a legitimate-sounding request for payment, or a change of banking information. Time to dig deeper.
• Is what they’re offering too good to be true? Maybe it’s an unexpected refund from a company you’ve never used. Claim your cash just by providing a few bits of info. Lucky you, heh heh.
Avoiding personal phishing scams.
• If a suspicious email is obviously a fake, ignore it. If you’re not quite sure, put it aside until you’ve had a chance to check it out.
• Even if the information provided in the email seems dire, urgent or compelling, you have time to claim that supposed refund. Do not act while stressed or exhausted. Sleep on it. Take action with a clear head.
• If the email is from a firm that you do business with, log on to their site as you normally would, to see if there are any messages or alerts. You can also call the organization by phone for verification.
• Never use the log-on link in the email, which could give the spammers just what they want – your username and password.
Watching out for phishing scams at your business.
• A worker in Accounts Payable gets an email from a regular vendor. She clicks on the attached ‘invoice’, which turns out to be key-logging malware that can now capture all her passwords. She failed to notice that the invoice arrived at the wrong time of the month.
• An HR employee opens an email from a job applicant, who has attached a zip file containing their resume and cover letter. The HR guy clicks on the zip icon, which is actually an executable file that immediately starts infecting the company’s entire network. He had forgotten previous warnings about opening zip files.
• A field manager receives an urgent emailed request from a superior in the company’s home office. It’s asking for employee profile details, which apparently all the other field managers have already supplied. They quickly comply, even though the questions seemed unusually personal. Later, they find out that no such official request was ever made.
In each case, disaster could have been avoided with closer attention to potential red flags.
Human solutions for avoiding business phishing scams.
• Raise your general level of alertness to anything that seems the slightest bit off. Typically these days, employees are careful about giving out information, but hectic work situations combined with the phisher’s sense of urgency can result in the one slip that does incalculable damage. Slow down and think before you click.
• If you’re unsure, check via direct verbal communication with the email sender who’s making a request. When that request involves sensitive information, such as a change of banking info, gather documentation, and touch base with the affected employee.
• Remember that phishing requests can come in the form of a phone call as well as an email.
Technical solutions for avoiding business email phishing scams.
• Automated spam filters can catch issues like sketchy ‘From’ addresses. Among other things, they check a domain’s records for the addresses that are allowed to send mail.
• Anti-virus programs identify attachments like zip files that aren’t really zip files. Malware and other suspect items are placed in a ‘sandbox’ where they can do no harm while being checked out.
• Office 365 doesn’t provide spam filtering by default, but it has advanced options to set up a set of custom spam rules.
• Email registration systems identify previously ‘approved’ email addresses and domains, and only allow those through. These filters even work with suspicious email that appears to come from trusted platforms like Microsoft Teams.
• Email encryption services keep your transmitted information away from prying eyes. These are typically used by attorneys and financial institutions, but can be set up for any business conveying sensitive information.
• Other email protection systems trace mail from its source to its own servers before releasing it to you. If a company has been sending you email from Valdosta, Georgia, and are now suddenly sending from Australia, you’ll get a bright red flag. Additionally, if the email includes links to a known attack site, it will toss that email into quarantine.
• Some of these services also scan outbound email, setting off alerts about possible compromised activity with internal accounts.
Good guys and bad guys will always be trying to outsmart each other in cyberspace.
Defensive measures aren’t always 100% foolproof, especially when attackers are spoofing the identity of senders from within the actual domain. But they do add substantial security layers that make phishing scams a lot less likely to succeed.
The key is to take action before there’s a problem – or before any emerging problem becomes serious.
And yes, this may all be an added hassle on top of an already-busy workday. But we can’t escape the fact that security and convenience will always have an inverse relationship.
Contact Harmony and get the good guys on your side.
Which email security systems and configurations would make the most sense for your company? Have a talk with Harmony’s IT security experts and stay ahead of those who may already have you in their sights.