It’s been 35 years now since the first computer virus and, in the meantime, computer security seems to keep getting worse. With the proliferation of firewalls, antivirus software and other security precautions, many hackers now choose to access protected systems using “phishing.” If you or your staff aren’t sure about what phishing looks like, you’ll probably want to take the next seven-and-a-half minutes to read this article.
What Is Phishing?
There’s likely a band out there that’s pretty annoyed by the name of this type of cybercrime, in which hackers steal your login credentials, credit card numbers or bank account data by tricking you into giving them information or computer access.
If you think you or your employees would never willingly hand over sensitive information, think again. A recent survey determined that 95% of American businesses have been affected by an email phishing variant, and the average cost of each phishing attack is a whopping $1.6 million!
At Medlin, we don’t want you to lose $1.6 million to a hacker. That’s why we’re here to help you learn how email phishing works.
What Is Traditional Email Phishing?
Email phishing is the most common method of phishing. The typical set up is that an attacker will send you an email, which contains a link. The link leads to a webpage. The page looks completely legitimate, but it’s really a fake page created by a cybercriminal so he or she can steal your personal information.
Not quite sure how that works? I recently received this phishing email in my inbox:
The email sender was listed as Netflix and, when I opened it, the email stated that they were having troubles running my credit card for this month’s payment. The email suggested I click a link to verify my credit card details and avoid immediate suspension of my Netflix account.
Had I clicked the link, I would have been sent to a web page that looked exactly like a Netflix page. I would have entered my credit card details and I would have been filtered through a fake “Thank You” page before moving on to the homepage of the real Netflix site. The whole process would have been quick, easy and straightforward… and I would have had my credit card number stolen.
Of course, the scams can ask you to click links for any reason. Some common ones include:
• View a job application invitation through LinkedIn
• Update your bank information
• Submit your W-2 information to HR
In addition to links, phishing emails can also push you to download an attachment. The attachment could look like a Word file that your boss has sent over for feedback, it could look like a PDF or it could look like anything else. Once opened, the file (typically an executable file), downloads malware onto your computer, which compromises your system and network instantly.
Since email phishing is so effective, it has spawned variants including:
1. Spear Phishing
A type of phishing that uses your personal details against you, in which the cybercriminal has already discovered your name, job title, job duties, personal interests or other information so that the email seems more realistic.
Phish attacks that target top-level company executives. Company leaders often have administrative access to company software, and if hackers can get access to C-suite passwords, they have a high likelihood of gaining access to the entire business system.
3. Social Media
This is the same as the email version of the attack, except that the link or attachment is sent to you through your social media inbox.
4. Text Message (AKA “SMiShing”)
This is a dumb name for a malicious attack (it stands for “SMS phishing”), but it’s very dangerous. In a SMiShing scheme, an attacker sends a link over text message. If you click the link, you’ll download a Trojan virus, which can control your phone, and then the hacker will have access to all the data on your phone as well as login credentials to all the sites you visit on your phone.
How to Protect Yourself from Email Phishing Attacks
Every time you receive an email, you should be on the alert. Before you open it, make sure you know who the sender is. If it’s a blank or “unknown” sender, don’t open it. If you hover over the email address it looks suspicious, such as one filled with typos or “numb3r$ as lett3r$,” don’t open the email. Forward it to your IT department, if you have one. (You can also forward it to the tech experts at Medlin.)
Don’t click on links in the email. This sounds like easy advice, but actually it’s very hard to follow. Any good marketing team will admit that the whole point of sending an email is to get people to click the link in it, so, as consumers, we’ve been trained to click links. Fight the urge.
If you’re pretty sure that the email is legitimate, take a second to hover over the link. If the address looks like a standard address, such as “www.netflix.com,” you’re probably fine. However, we recommend that you still don’t click it. Here’s why:
5. Homograph Attacks
This type of attack assumes you know to hover over links in emails, so it spoofs a real web address by creating the address in a different language with a non-English character set. The email then relies on Internationalized Domain Names functionality to register a web address that reads exactly like the address the hacker is pretending to be. The non-English address can even create a secure SSL certificate so your browser reports the page as safe.
How to Protect your Company from Phishing
Worried about all the ways that email phishers can attack your company? Sadly, email phishing is only a single type of phishing attack – there are many others.
The number one way you can protect your business from a phishing attack is to learn about it and to teach your employees about it.
If your employees run across suspicious emails, they can protect themselves by:
• Forwarding the email on to the security team
• Typing the correct web address straight into their browser (instead of clicking email links)
• Calling the sender directly to verify the email’s validity
• Refusing to provide personal information over email
Worried about your computer or network security? Check where your vulnerabilities are—instantly!—using the online Network Security Assessment from Medlin. If you see a security hole that worries you, we’re just a phone call away. Let’s build a stronger system – The Medlin System – together at 1-800-4-MEDLIN.