In this modern-day, tech-savvy world, we would like to believe that we could never be fooled by a social engineering scam or phishing attempt!
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity via electronic communication. The reality is that it is easy to catch someone in this way.
Here are some tips to look out for so that you do not become just another phishing statistic:
- Do not trust the display name. A favourite phishing tactic is to spoof (imitate) the display name of an email to give it an air of legitimacy. If you click on the name, you will notice that the address differs from the display.
- Look but do not click. Hover your mouse over any links embedded in the body of the email. If something seems even remotely strange, do not click on it.
- Check for spelling mistakes. Brands usually do not make careless mistakes. This is an easy tell. Cybercriminals also do this purposefully to target less observant users.
- Analyse the salutation. Watch out. Legitimate businesses usually use a personal salutation with your first and last name rather than a vague salutation.
- Beware of urgent, threatening language. This is a common strategy to create a sense of panic or to entice you to use poor judgement.
- Review the signature. If you cannot find the sender’s details or information on how to contact the company, this is probably a phish. Legitimate businesses always provide contact details.
- Do not click on attachments or links. Including malicious attachments that contain viruses and malware is a common phishing tactic used to damage files on your computer, steal passwords or to spy on you without your knowledge. Do not open any email attachments that you were not expecting.
- Do not ever give out your personal information. Legitimate banks (in fact most companies) will never ask for personal credentials via email.
- Consider whether you have a relationship with the company that has sent the email. If you receive a message from a company that you do not deal with, assume that this is a phishing scam and ignore it!
- Do not believe everything you see. Phishers are good at what they do. An email may look convincing and even display the company logo, but this does not mean it is legitimate. Be sceptical! If a message makes you feel even slightly unsettled, do not open it.
- Look out for the secured lock icon in the browser indicating a secure site
Some last thoughts:
- What are you as a company doing to make your staff “phishing savvy”?
- Do you have a method where staff can report potential phishing emails?
- Does your IT team block these phishing emails?
- Is your business testing the knowledge of staff around phishing scam, if so, how, what metrics do you have that will provide and substantiate the exposure level?
- Do you have an appointed data officer and a response plan to reduce the impact of a successful phishing attack?
Farhad Rahaman for The Institute of Risk Management South Africa (IRMSA)