Phishing is the most common form of cybercrime today. It’s estimated that 3.4 billion emails are sent every single day, and the latest statistics show that 84% of all organizations were targeted by at least one email phishing attempt. In this ever-shrinking digital world, no business is too small to be a target. If that’s not scary enough, the click rate on phishing attempts can be as low as 17% and as high as 35%, depending on which report you look at. Here’s a simple way to think about it: if you have five employees, there’s a high chance that one of them will compromise your business by clicking on a phishing email.
Simply put, phishing is impersonating a business or a person in hopes of gaining money or stealing credentials.
There are different types of phishing: email phishing, spear phishing, whale phishing, vishing, and smishing. We’ll go into more detail with some of those in later posts. Today, we’re laying the groundwork for understanding email phishing. Typically, you’ll see one of two different types of phishing emails. The first is CEO impersonation. This is an email you get from a manager or an owner of a company who is asking you to do something that is outside the realm of normal activities. For example, a recent CEO impersonation might say, “Hey, we are planning to get gift cards as a surprise for some employees. Please buy 10 $100 gift cards. This is just between us, so don’t tell anyone.” You may be surprised by how many people fall for this. Why? When the owner asks for something, people often follow the instructions loyally and blindly.
The other type is brand impersonation. This is where you get emails from “Microsoft” or “Adobe” or any other large company trying to get you to click on a link in the email.
The first thing to look for is urgent or threatening language. Often, you’ll see messages like, “Do this right now, or your account will be locked,” or “Do this right now, or your emails will be lost forever,” or “You have paid $845 to this person. Click here if you didn’t authorize this.” They’re calling for immediate action.
Another common sign is unusual requests tied to secrecy. Think of the CEO impersonation example from earlier. The CEO doesn’t usually ask you to buy gift cards and keep it secret.
The third sign to look for is bad spelling and grammar. In the past, this was easier to spot, but today, with the advent of AI, it’s becoming a lot more difficult. Bad actors can now have AI generate flawlessly worded phishing emails.
The two main consequences are personal data theft and business impact. If you click on a bad link, you may be giving them access to your identity, personally identifiable information, or even your banking information. The other consequence is the business impact. You might give away your Microsoft login, allowing the attackers to send emails from your account or worse to other business through your legitimate email. This can lead to a data breach where you’re required to pay a ransom or report this to the federal or state government which could damage your businesses reputation.
Verify, verify, verify. Never assume; always verify. When something seems urgent or threatening, take a second to re-read the email. Ask questions like, “Is this the type of email that Microsoft would send?” or “Is this the type of email my bank would send?” If the CEO is asking you to buy gift cards, instead of replying to the email (which may have been compromised), pick up the phone and call them.
Another thing you can do is hover over the link. Don’t click; just hover, and you should see where it’s going to send you. You can also click “Reply” to see the address the email is going to. Again, don’t send the email; just click “Reply.” This will show you who the email is actually going to.
You can also ask for help. Forward the email to your IT department and let them investigate it. They can tell you if it’s real or a phishing email. Lastly, always use two-factor authentication with your email. This way, even if a bad actor has your password, it’s going to be more difficult for them to access your account.
Phishing attempts aren’t going away anytime soon, and with the adoption of AI, employees have to be more and more diligent. You are the most critical element to your company’s security. At Adoverse IT, we offer additional training and security tools to help protect against not only today’s threats but also those coming tomorrow. Contact us today to strengthen your defense or take our free email risk assessment.