by Keith Barthold
In 1975, Steven Spielberg’s iconic movie “Jaws” terrified a nation with its horrific, shark-driven fishing expedition (for unsuspecting human victims), sending everyone to shore with the warning, “Don’t go in the water.” Today’s cyber waters are just as treacherous with the increasingly more numerous and sophisticated phishing attacks launched by even more aggressive and sophisticated cyber sharks.
Consider these statistics:
- 92 percent of malware is delivered through email
- 90 percent of data breaches come through phishing attacks
- 70 percent of companies are not prepared for a cyberattack
- 60 percent of attacks are more severe and sophisticated
- 56 percent of IT decisionmakers target phishing attacks as their top security threat
Though phishing attacks aren’t always easy to spot — if they were, people wouldn’t fall victim to them so easily, right? — there are many ways you can be on the lookout for suspicious emails. The better prepared and more knowledgeable you are about what to look for, the better protected you’ll be.
Here are some questions you and your team should ask before opening that next suspicious email:
Did it originate from a recognized sender?
Typically, you should know who is sending you data. Even if you aren’t familiar with the specific person, you should probably at least know the sender’s company or the topic of concern. To be certain, look at the email’s sender address and if it’s from firstname.lastname@example.org, or if the domain name doesn’t EXACTLY match your known contact, it’s best to delete it. You should always ask yourself who is sending you information, from where, and why. Many times, it’s just someone phishing for prey.
Is it overly impersonal and generic?
Is the message too general and one that could be intended for anyone and not you specifically? Because unsophisticated phishing scammers have to rely on generalized language and offers that could entrap thousands of potential victims, they have to use wording that is as vague as possible. Look for specificity and personal content and avoid the overly generic. And there should always be additional contact information other than the sender’s address in the email. Always look for confirmation.
Does it have an insistent, opportunistic tone?
Confident, capable, and trusting people don’t have to push, beg, or threaten you in their communication with you. And you should never feel pressured or manipulated into performing a task. If there is an insistent tone, find out whether it is warranted or not. Sometimes senders need to be insistent, but only rarely.
Are there unusual requests or extravagant promises offered?
Your parents probably gave you the same advice that mine did to me: if the deal sounds too good to be true, it probably is. None of us wants to avoid an important request or miss out on a great opportunity. Phishing con artists rely on immediacy and don’t-miss-out opportunities and bank on the fact you’ll act now and not take too much time to think before doing something you wish you hadn’t. Determine why you were selected to participate in the request or offer and proceed with caution.
Is money involved?
It goes without saying that if finances are involved, you should be particularly cautious. Cybercriminals are getting much more sophisticated in their methods and means. They often stake out a company to know insider facts and even use falsely created signatures and forms to appear authentic, even fully compromising a trusted vendor, client, employee, or strategic partner (like your CPA or attorney). Watch out for changes in wire transfers, bank accounts, and addresses requested by email, and always confirm by phone. If anything raises a red flag, double check it with voice or in-person confirmation.
Is there an attachment or link included?
This pretty much goes without saying because it’s an area that has already entrapped so many victims: if you aren’t sure, don’t open it or don’t click it. Certainly, some files have to be transmitted in attachment form, but people are using and trusting that method less and less. If you have to open an attachment or use a link, you should know the identity and reason for it. Guard against malicious links and attachments using technologies such as Advanced Threat Protection (ATP) for Office 365. Phishing predators are hoping to catch you off guard and unprepared.
Is anything else out of the ordinary that catches your attention?
Sometimes it’s the smallest of details that should give you the greatest warning. Is there a logo that doesn’t look right? Are there amateurish graphics or none at all? Are there misspelled words. Inappropriate language? Is it as professional as it should be? There are no perfect crimes and no perfect criminals online. In uncovering phishing attacks, the devil can be in the details.
Know where and from whom your emails originate, question overly generic language, push back if offers and language seem too pushy, be aware of too-good-to-be-true offers, clearly identify attachments before opening, and develop an acute eye for details. Don’t be lazy and expose yourself to attacks because of the overabundance of email, and be highly discriminant in what you read and heed. You and your company’s data, security, and reputation depend on it.
Keith Barthold is the president and CEO of DKBinnovative, a Dallas-based IT managed services firm that specializes in cybersecurity. DKB offers secure, reliable IT solutions to productivity-focused small- and medium-sized businesses globally. Established in 2004, DKB acts as a company’s virtual chief information and security officer, whose role as a strategic partner and extension of its C-suite is to assist in planning, day-to-day execution, and future-proofing the organization. You can find more about DKBinnovative at www.dkbinnovative.com.