Phishing is the term given to any kind of social engineering attacks where con artists or scammers try to influence users (organizations or individuals) to give out sensitive information, download attachments or click a bad link. Whether you are a small or large organization or simply a regular email user, you are very much vulnerable to phishing scams. Phishing emails are often targeted against companies and individuals with specific aims like theft of sensitive data or collecting bank passwords for easy money. Let us take a look at some effective phishing prevention best practices.
1. Educate yourself
There are some important terms you need to know about if you wish to avoid phishing and pharming:
- Spoofing – Spoofing is the term used for the process where scammers duplicate a legitimate website and even use their logos, taglines and name in the website. While all this may seem genuine to you, these spoof websites are made by copycats. Another term for spoofing is pharming.
- Phisher – A Phisher is a con artist or criminal that sends website links of the spoofed sites to innocent users.
2. Make it difficult for attackers to reach users
An easy way to prevent phishing and spoofing in organizations is to use a multi layered approach. Here are some things organizations can do to prevent phishing:
- Implement anti-spoofing controls to stop email addresses being resource for attackers. Anti spoofing controls include DMARC, SPF and DKIM. You can get more information about these controls here.
- Consider what information is available to attackers on your website and social media and help your users do the same.
- Filter or block phishing emails.
3. Identify phishing emails and report them
Phishing emails are cleverly camouflaged to look genuine. However, you can learn to recognize them with a bit of practice. Also most phishing emails have following characteristics:
- They ask you to verify your email address
- Phishing emails often include names of genuine businesses in them, including names of banks or financial institutions. However, you should be able to identify them because they generally have the following format: @mail.genuinebusiness.biz as against @genuinebusiness.com.
- Another tip to identify phishing emails is that the body of the email is poorly written. You will find plenty of grammatical errors and spelling mistakes apart from legal errors. Genuine emails are written by professional writers and do not contain errors like these.
4. Train users
Organizations can train users to identify phishing emails. However, users also need to have instincts and common sense as no amount of training can help spot every phishing mail. Teach users to recognize fraudulent requests by reviewing processes that can be mimicked.
5. Protect your organization from effects of undetected phishing
Make authentication more resistant to phishing. You can easily do so with 2-factor authentication. You can also only provide privileges to people who need them. Also install a proxy server and an up-to-date browser to protect users from malicious websites. It is also important to have stringent measures to prevent malware attacks.
6. Organizations: respond quickly to incidents
If despite using phishing protection best practices, you still become victims, then you must define and rehearse an incident response plan including legal and regulatory responsibilities.
7. Individual users: Raise your email awareness!
No genuine company will ask you to verify your sensitive information or ask for passwords, addresses or OTP (one time security pass-codes) sent to mobile devices. If something seems suspicious call the company. Notify them that you have received an email with a ‘dot.com’ address of their company. Companies usually take steps to combat such fraud.
8. Do not click links or open attachments
If an email with a clickable link is suspicious or is unsolicited, delete it. Do not click links or download attachments. Most of these emails start with a general salutation like ‘Dear Valued Customer’ etc. A genuine organization or bank will only email you and address you by your name.
9. Beware of misspelled company names
You can easily detect phishing attack when you receive emails from misspelled company names. This is an easy way to stop phishing emails in Outlook and Gmail. Many Gmail users also report getting mails from Google itself asking them to verify their accounts along with a warning that failure to do so would result in permanently deletion of their Gmail account. If such threatening emails arrive, it is best to delete them immediately.
10. Beware of all-numerical website addresses
Another easy method of detecting phishing is when you see all numbers in the website address along with the name of a genuine company. Example includes: http://123456789.www.yourbankname.com. Chances are this is a scam.
11. Test it out
If you are doubtful whether a company email is genuine or not, put the genuine name in web browser and search to see if the company indeed has the same website address as that which is being solicited by the email. If the addresses do not match, then you know it is a phishing attempt. You can also open a new window and type in the website address rather than open it in the body of the email itself.
12. Be wary of certain keywords
If an email asks you to ‘verify’, ‘confirm’ or ‘update’ confidential information like password, account user name, date of birth etc, then you know it is a scam or fraud. The same goes for threatening emails like ‘Urgent-action needed. Failure to act now will result in immediate cancelation or suspension of your account!’ All these threatening messages are usually spam and phishing frauds.
13. No signature emails
If there is no signature at the end of the email, then it is very likely fraudulent. Genuine businesses always provide proper email signature with phone number, designation, company logo etc.
14. Use filter or blocks
Organizations as well as individual users must check all incoming email for phishing software. Gmail offers this as a free service and so do most other cloud based email providers. You can also do it on end user devices. Filtering services send phishing email directly to spam/junk folders. Organizations can fine tune the rules determining blocking or filtering as per their needs.
Use your instincts when it comes to detecting phishing attacks. Not all emails are genuine just because they contain an error free message or have genuine-sounding email addresses. Even if it sounds remotely suspicious, steer clear of it.