Over the years, you’ve probably seen plenty of spam emails. While most of them end up in the junk folder, you occasionally have one make it to your mailbox, so you delete it. No harm, no foul. It was just a blatant advertisement your eyes have been trained to ignore.
But what happens when it isn’t so obvious, the intent is more malicious and your business and its data are at risk? That’s not quite as easy to deal with and requires a lot more effort to defend against.
Today, let’s discuss phishing emails: what they are, how to spot them and what your business can do to defend against them proactively.
Before we jump in, we will note our bias as an IT company. While we do have cybersecurity and security awareness offerings, which are mentioned below, we know we won’t be for everyone. This content is meant to be informative and raise awareness so your business can follow best practices and protect its data. Now, let’s define what we’re talking about.
Phishing is the act of scamming an end-user by "baiting" them with something fake that looks real (just like real fishing). This comes through email and is designed to look very realistic. Sometimes, it appears to come from people you know in your organization. These scams usually allow a cyber threat to access your environment and data or deploy malicious software.
A well-crafted phishing email might appear legitimate and not raise any immediate red flags, but that’s why we should remain skeptical. Think twice about an email that:
Often, a phishing email appears as if it were from a coworker. This is when we need to assess the message's contents. What are they asking for? Is it normal behavior? Is there money or private data involved?
For example, let’s say you receive an email that appears to be from your manager, and they’re asking you to wire money to an account. This request is unusual, but this email legitimately looks like it is from your manager, and you don’t want to ignore them.
The best course of action in this situation is to verify directly with that person that the email was legitimate. You can do this through another form of communication (face-to-face conversation, phone call, etc.). Think of it as a human version of two-factor authentication (which you should also have in place to protect your login credentials).
In addition, always note the sender’s email domain and compare it to who they claim to be. If the domain doesn’t match the company name, it’s probably not trustworthy. Also, be sure to inspect URLs before clicking them. Phishing scammers may try to pass off malicious URLs as trustworthy by using hyperlinks or buttons.
Now that we’ve covered the human side of phishing avoidance, let’s talk about the technology side. Through an email filtering service as part of a robust cybersecurity stack, you can stop many malicious emails before they’re able to hit your mailbox.
Your IT partner can configure your email filtering based on your company’s specific needs and ensure that it is regularly updated and up to speed on the latest known threats. Solutions like these are generally more comprehensive and advanced than the spam filtering settings in your email client.
3. Two-Factor Authentication
Enabling two-factor authentication (2FA) wherever possible will decrease the chance of your accounts becoming compromised, even if a phishing scammer gains access to your login credentials. Without that second form of verification (push notification, text message, temporary code, etc.) they won’t be able to access your account.
While 2FA has become a best practice, it should still be the last line of defense. If your cybersecurity strategy is lacking in one area, cyber threats are going to find a way to exploit it. Just because your logins have an added layer of security doesn’t mean you can worry less about your email filtering, and vice versa. It’s about the collective stack of tools and solutions.
If there’s one thing we can guarantee, it’s that these phishing scams aren’t going anywhere, and it’s far easier to proactively safeguard against them than to clean up the mess afterward. IT expertise and leadership, whether internal or with a managed service provider, will ensure best practices are followed. Please don’t wait until it’s too late!