The internet can be a deceitful and treacherous place. We have all heard of scams trying to sell you fake pharmaceuticals, the false promises of people near you looking for love, even Nigerian princes’ lying about the millions of dollars that will be sent you. I’m assuming you, the reader, are way too clever to fall for any of these traps. Spam filters catch most of it, but before you start feeling safe at home in your Scooby-Doo pajamas let me warn you, professional phishers are out there. Their spoofs are significantly better than most of the ones we encounter and it’s easy to fall for their tricks. Latest studies show that 1 in 5 employees click on phishing scams.  And a large number of them don’t even report it to IT out of fear of being known as ‘that guy’ who clicked on that obviously fake link and compromised the entire company.
My goal with these 7 steps is to give you and your team the basic knowledge to not to become another cyber-victim. Put on your kevlar and let us begin phishing bootcamp!
1. Verify with the bank/institution
Do not respond to e-mails or phone calls asking for your personal information. Especially ones that have a scene of urgency. In the unlikely situation that you may believe your bank or another financial institution requires your information, get the official phone number from the back of your card, from their official website or your company’s records (never the one in the suspicious email) and give them a call to confirm.
2. Straight to the source
Everything can be masked. The caller ID on your phone, the senders name in an email or a private message via a social network. Scammers will use correct spelling and logos of institutions get your credentials.
Don’t click any links. URLs can easily be masked in an email and send you somewhere else. Often a spoof page that looks completely identical to source. Type out the URL yourself, the same URL you always use for online banking. This includes delivery companies, which is a more common technique phishers use to go after businesses.
3. It’s not always financial institutions
To get your credentials the scammers will often mimic common e-commerce, subscription services and telecommunication companies. Once you’re asked for personal information, think twice and verify the source.
A friend on your social network or an e-mail contact alerting that they’re traveling abroad, have been robbed and require funds urgently is a known scam. Even if it’s a contact you know, accounts can be hacked. Contact them back via the information on your rolodex and confirm if the message is really from them.
Someone from a reputable company has contacted you for a job offer as a debt collector is often another form of money laundering, scamming multiple victims to cover-up illicit funds.
Email’s pretending to be telecommunication services or television subscription services.
When it comes to phishing, it’s not always banks. If your business collects financial data there’s a good chance someone else is pretending to be you and trying to get your clients data under your name. Protect your brand with anti-phishing and brand abuse monitoring.
4. It’s too good to be true
Did you really win the latest gadget from a sweepstakes that you’ve never entered?
A relative you never heard of has left you a large inheritance?
Get rich right away?
If it sounds too good to be true, then it is. No matter how tempting the reward is, never send your credentials. If you think it’s the real deal, pick up the phone and get to the bottom of it. Use the organizations number and never the one listed in the email.
5. Check your banking records
Check often for irregular transactions. Keep an eye out for unaccounted purchases or incorrect decimal points. If you notice any irregularities notify your bank immediately.
6. Mobile Safety
Despite the process apps take to get verified the bad guys can still get their product listed. Often their malware collects data on your phone and can make phantom phone calls to premium phone numbers. Prior to downloading a financial app make sure it’s listed on the bank’s website. These apps usually mimic financial services and banks. If your business has ever dealt with phishing or trademark infringement, we highly recommend Mobile App Monitoring. App monitoring can keep your clients protected by eliminating the presence of criminal activity against your brand.
A SMS requesting personal information is always a scam, even if they direct you to a link with correct logos.
Web Browsers are your friends. Update them regularly and make sure the settings are enabled to warn you of malicious content. They won’t catch everything but will still prevent you from accessing most fraudulent webpages and malware.
Ensure that your computer and computers on your network have updated security patches and antivirus.
While on financial and e-commerce sites check for the secure https (not http) within the URL. Also lookout for the padlock logo alongside the address bar. You can click on it to see the security certificate for the site.
As people and businesses become more attentive of their online security, the phishing professionals adapt. Inform yourself and stay ahead of the latest online threats. You can never be too safe with your online presence.
What other steps does your company take to prevent phishing? Let us know!
Follow @bp_phishing for the latest phishing updates.