October marks the start of Cyber Security Awareness month so there’s no better time to revisit some common security tips & practices! At a time where many are in remote or work-from-home environments, it’s important to help protect your workforce, assets, and data.
One of those common attack vectors despite being the most common can be the most effective, phishing. Phishing is the act of pretending or falsifying information in order to get the recipient to reveal sensitive data such as banking, company info, credentials, and so on. While this commonly gets bundled as spam email it’s worth noting that phishing attacks nowadays can be complex & surpass certain spam filters. So here are some tips from the Network Right team to help protect yourself & your employees when it comes to Phishing attacks.
A very common rule when it comes to email phishing attempts is to do a twice-over of all the details of the emails. Noticeable things such as :
The “To Field” ensuring its the actual sender & not a spoofed or misspelled domain name
Check for multiple grammar/multiple spelling mistakes. Phishing attacks are typically templated or poorly written to the point where it helps identify that the email isn’t legitimate.
Be wary of any email that asks for private/confidential information (Passwords, Mobile numbers, address, and or the request to purchase something on someone’s behalf)
Don’t download or look out for random attachments
It is common for the spammers in question to spoof names of employees who work at your company often targeting high-level roles such as CEOs and so on to add a sense of urgency in replying to said requests. That said always double-check the information above or if you’re still unsure, directly contact said contact in order to verify.’
That said it’s worth being aware that there’s such thing as domain spoofing. This is where the spammer in question can pretend to be a part of your domain firstname.lastname@example.org. Making it hard to 100% tell if the email is legitimate or not. While IT admins can do things to help prevent these (Such as implementing filters in G-Suite & so on) it’s always a chance for spammers to leverage this. It’s best for the IT department to preemptive about this and ensures most filters or security policies are in place before any phishing attacks. However, for users knowing this is possible in the first place is the most important step so you can be aware of it.
3. Legitimate Emails/Services Spoofing
Often a common attack method is to pretend to be a service or app users may use or be the admin of & attempt to contact users & urge them to change certain credentials or add billing info.
Always be aware of any email in which a company asks you to confirm billing info such as credit cards, reset your password when you didn’t manually request it, and so on. While there are legitimate ways to get these emails it’s always a safe bet if your unsure to go to the site directly & change such info versus clicking a link in an email especially when it’s unwarranted or disguised in an email telling you that its urgent to do so.
4. Be diligent where you sign-up with your email
While spammers get email addresses from a variety of methods it never hurts to be cautious of whom & what services you give your email to. Often times we’ve seen even legitimate companies have info leaked where users’ emails get out to the public & thus added to these lists that end up spamming users. So while it’s at times unavoidable always do your best to be aware of what services you sign up for.
5. Protect yourself!
In the event, you or your employee fall victim to a phishing attack these are some ways you can better prepare & react to when it occurs.
Change credentials immediately (If you accidentally send any info, do your best to go through the official site to change said credentials & or report in the event you leak payment info.)
Setup 2FA/Multi-Factor Authentication this is a great way to help stop access to services such as email. Two-Factor forces a second verification method such as texting a code to your mobile phone so that in the event someone got your email login they couldn’t get in without having that 2nd factor. Look at how to set up 2FA on common services such as:
Office 365- https://support.microsoft.com/en-us/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14
Report Phishing attacks that do get through. Most email programs in themselves have decent built-in filters however things still get by. By reporting emails as spam/phishing it helps improve the algorithm to better detect said attacks
Again on the IT admin end many of these tricks such as domain spoofing, pretending to be a user within the company, and so on can be filtered/blocked before it even hits the user’s inbox. Be sure to contact us at Network Right if Phishing attacks are becoming too commonplace or targeted for your domain to see how we can help better protect & prevent said attacks. Now that users are at home and on non-corporate networks, these attacks can surface more commonly. So doing your best to ensure from a tech perspective your company and its tools are prepared as well as from a user-level you do your best to educate your employees of common practices & good digital hygiene to prevent these from occurring in the first place. Stay safe out there in the digital space!