Personal information and data are valuable. Because we conduct so much of our personal and professional business over the web or have information stored in the cloud, our most sensitive and valuable information can be accessible to hackers and cyber-criminals. It is our expectation that the companies who store our information have the proper security protocols in place to prevent data theft. But in some cases, individually, we are our own best line of defense.
Phishing is a type of cyber-attack that relies on using an email that looks like it comes from a reputable and reliable source that tricks the recipient into giving up information that should be kept guarded. There are two types of phishing attacks. In a typical phishing attack, cyber-criminals obtain a list of email addresses for the customers of a targeted business. Most often, they send an email that contains a link to a website that looks like it belongs to the company requesting information verification. If the recipients don’t recognize the email as a scam, they provide the information and the hackers have gained access to that customer’s personal information.
The second type of email attack is called “spear phishing”. While phishing attacks generally cast a wide net, spear phishing zeros in and targets a specific individual or organization. They often make the email look legitimate by crafting a message that appears to come from an individual that the target knows. One of the most well-known spear phishing attacks was directed towards John Podesta, chairman of Hillary Clinton’s presidential campaign. In what appeared to be an email from Google asking for password verification, he provided that information and hackers were able to look through 50,000 of his emails gaining sensitive information in the process.
In both types of attacks, cyber-criminals look to exploit personal data, passwords, confidential company information, and company emails by taking advantage of the weakest link in cyber security, human error. They can use this information to commit identity theft, obtain money through fraudulent means, or introduce viruses or malware into the system.
So how can you protect yourself from phishing and spear phishing?
Verify: If something seems off or you have any questions about the authenticity of a message that asks you to provide passwords or bank information, take a moment to be sure the sender of the message is legitimate. Often times they will use an email address that looks very similar to a trusted sender’s address, but will include a number or use a zero in place of a capital O. Hover over a link before clicking to see the URL and if it matches the source. If in doubt, call the company directly with a number you know is legitimate to ask for verification that the email is coming from them.
Don’t be pressured: Often phishing emails come with a sense of urgency. Either a friend needs assistance and money wired to them, or you are told your account is in danger of being closed if you don’t confirm your account information. These messages are crafted to make the recipient act quickly, without thinking, and ignore the potential for fraud.
Don’t be so quick to “friend”: Avoid accepting invitations on social media from people you don’t know. Often cyber criminals will use this as a way to get more information to make spear phishing attacks believable.
Don’t click the links: If you’ve received an email that looks suspicious, don’t click on any of the links. This can trigger malware or introduce viruses to your system. It is better to type the URL directly into the address bar. Also, never submit your information into forms that are embedded or attached to the email. This is another common tactic.
Being educated about the various ways that cyber-criminals access and use our personal information is critical to protecting yourself from being caught in a phishing attack.