Phishing Emails: What to Look for and How to Avoid a Data Breach

By now, you have probably read dozens of articles about cybercriminal activity and data breaches. Large firms like Equifax, Uber, Anthem, Target, Ubiquiti, and many more have had security breaches that have resulted in the exposure of sensitive customer information. With these massive data breaches, experts calculate that approximately 1.9 billion usernames/passwords have been stolen and are available on the black market. And these breaches are not confined to large organizations. Take the following real-life scenario into consideration:

A CFO receives an email that looks like it came from a financial institution or other business the CFO has done work with in the past. Thinking the email was legitimate, the CFO opens the spreadsheet contained in the email. The spreadsheet opens in Excel but the numbers contained within the spreadsheet do not display. There is a message at the top of the spreadsheet asking to “click here to enable content.” Once that button is pressed, the spreadsheet opens. Malware has just been installed on the CFO’s computer. And now, the hacker can monitor all keystroke activity, download content from the computer, and can even take a picture or watch a video of the CFO.

Seeing how easily this can happen, it is not surprising that humans have become the top target for cybercriminals.  They know the statistics: 97% of humans cannot identify a phishing email, 91% of cybercriminal activity is initiated by email, and 23% of us click on malicious links or attachments.

Taking certain precautions at home and in the workplace can help you avoid being scammed by hackers that might have gained or are attempting to gain access to your personally identifiable information (PII).

One of the most popular cybercriminal techniques is phishing. Phishing is a cybercrime in which a victim is contacted via email, telephone, or text message by someone posing as a representative from a legitimate institution. They attempt to lure the victim into providing sensitive data (PII) like their username, password, social security number, date of birth, etc. Based on the breaches that have occurred, it is quite possible that cybercriminals already have some real information about you that leads you to believe they are a colleague or from an organization with whom you do business.

 

A typical phishing email might have these characteristics:

  1. Something that is too good to be true or something that catches your eye.
  2. A Sense of urgency to get you to act with emotion rather than intellect.
  3. Hyperlinks that link to an infected website.
  4. Attachments that you aren’t expecting.
  5. Sent from an unidentified sender.
  6. Sent during an unusual time of day.

 

If you receive an email that meets one or more of the above criteria, there are three areas of the email to focus your attention: the header, the attachments or hyperlinks, and the content.

The email header

  • Did the email come from a stranger?
  • Is the email addressed to you and others in the organization that have last names that start with the same letter?
  • Was the email sent at a time you would not normally receive communication from this person?
  • Is the subject of the email inconsistent with the body of the email?

The email attachment or hyperlinks

  • Look for any misspellings in the hyperlinks. Hover your mouse over hyperlinks for inconsistencies between the website and the hyperlink.
  • The ONLY file type that is always safe to open is a .txt file.  So, if you aren’t expecting an attachment, consider contacting the sender or establishment directly, before opening the file.
  • Is there an excel file that needs you to “enable content”? Never do this unless you are expecting an excel file with Macros from someone.

The email content

  • Are you being asked to click on a link or attachment to avoid a negative situation?
  • Are you being asked to click on a link because you won a prize in a contest you did not enter?
  • Cybercriminals could be spying on you using digital surveillance tactics or watching your social media to get personal information, making the phishing emails more believable.

 

In general, if you receive a suspicious, unsolicited email from your bank or from any establishment with which you have an account, take the time to browse directly to their website, log in to your account and validate the request. The same concept applies if you are called by your bank or credit card company asking for information. Tell them you will call them back. Hang up the phone, research the number on their website and call.

 

Tip: Invest in identity theft protection like LifeLock or All Clear which continually monitor your credit report for abnormal requests.  Monitor your bank accounts regularly. And, as always (like you do at your place of work), change your passwords to any financially related system on a routine basis. Many institutions now offer two-factor authentication to add another layer of protection. Take the time to establish this second form of identification to your personal account(s).

In the workplace, always maintain awareness that your colleague’s personally identifiable information may have been compromised.  Targeted cyberattacks are commonly customized to sound very personal and real because they may already have relative information about executives in your organization.  Digital surveillance is a tactic used by these criminals, sometimes for weeks prior to the attack. They may even wait till they know your CEO is out of town at a conference or on vacation. They might watch social media posts for ideas and clues to make their scam more believable.  It might even appear that you are receiving a text from an associate’s cell phone or an email directly from their email account.

 

Tip:  Engage with your Information Technology department or Managed Service Provider and ask for assistance in writing policies regarding processes around cybersecurity. For example, establish a formal process for money transfers that includes verbal communication.

Your Information Technology department should always follow security best practices regarding Windows patching, anti-virus updates, firewall updates, etc. to continually monitor and protect your network.  Check with your Managed Service Provider and see if they also offer additional security protection like regular network security audits and remediation, thoughtful leadership behind the storage of your sensitive company data, and continual end-user security awareness training.

 

If you’d like to know more about any of the Revolution Group divisions, contact our business development managers at 614-212-1110 or [email protected]