Anyone using email has likely heard the terms phishing and phishing attacks, but based on the high profile Home Depot, Sony, and Target phishing breaches, there is still a lot to learn about this security risk and how to prevent it.
Phishing is a type of cybercrime which includes phishing emails, vishing (voice phishing), and smishing (SMS text phishing). Hackers are "phishing" for sensitive information with which to access protected data or networks. A phishing email presents familiar information to fool users into clicking malicious links or replying with passwords, financial information, or private data.
Because success depends on building trust with the intended victims, fraudsters meticulously design fake emails and websites to mimic reputable sources. Since people are likely to act on a request from a known sender (e.g., their bank, employer, or a friend), personal identities, corporate files, and online accounts are at risk as soon as the fraudster earns the target’s trust. Account takeovers are simple with the passwords or personal data collected via these fake emails and bogus websites.
According to the Anti-Phishing Working Group, Inc. (APWG), Phishing Activity Trends Report, the number of phishing attacks reported increased from the first to second quarters of 2019 and both were significantly higher than the number recorded in the entire second half of 2018. Protecting against phishing is complicated because this cybercrime targets users’ likelihood to click a link or respond to an offer instead of aiming at the hardware.
How to prevent phishing attacks
Industry experts agree there is no one way to block phishing[JC1] [CS2] , but education and training are the consensus best practices.
Learning to recognize likely phishing attacks and how to verify a link before clicking is key to preventing a breach. Does the domain in the link match a sender or business, you know? Did you request a link during a customer service call? For that matter, are you even expecting the email? If it appears to be from a known source, ask the source if they sent the email.
Phishing.org offers ten practical and easily implemented ways to avoid falling victim to phishing:
- Stay informed about current phishing techniques so you can recognize a scam.
- Don’t click, think! Is the email addressed to you or “Valued Customer”? Do you know the sender?
- Download a reputable anti-phishing toolbar for your browser.
- Look for “HTTPS” at the front of a URL, rather than "HTTP" without the "S."
- Access your online accounts regularly, especially banking, brokerage, and credit card accounts to check activity. Review statements. Change your password, too.
- Continually update your browser for new security patches.
- Use a firewall as a buffer between you, your device, and cyber criminals.
- Watch out for pop-up windows. Some are legitimate but wiser to block them all and allow on a case-by-case basis. Equally important, always click the tiny "x" in the upper corner of the pop-up; the "cancel" button may link to phishing websites.
- Never share personal or financial information online. Yes, this seems obvious, but fraudsters use scary words such as "IRS," "collections," or "jail" to frighten you into acting against your better judgment.
- Install and update anti-virus software. Yes, another over-stated warning for an underused tool.
Enabling two-factor authentication is another way to block hackers with your login credentials from accessing your accounts.
Go phish somewhere else
Each of us is a route to a phishing attack. It only takes one person to click a malicious link, or unknowingly deploy malware, to compromise an entire home or office network. “No matter how secure a company's IT security platform is, the company is only as secure as its user base,” says Felix Odigie of Inspired eLearning.
Blocking hackers and their phishing attacks begins and ends with well-trained users and proven identity verification solutions.