#BeCyberSmart – Let’s Talk About Phishing

Let’s talk about phishing.  Phishing is the top action variety in social engineering breaches, causing over 60% according to Verizon’s Data Breach Investigation report for 2022.  Since 2016, phishing has seen an exponential increase in both the email click and do not click rates. Let’s be real – , phishing is an issue, and it is not going anywhere.  This week, the National Cybersecurity Alliance has talked a lot about recognizing and reporting phishing and discussed.  how it’s a problem that affects all businesses no matter the size. In fact, 30% of small businesses consider phishing attacks to be their top cybersecurity concern.

Recognize Phishing

According to CISA, phishing is defined as “Attacks that use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information. Cyber Criminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerability to attacks.”

Luckily, in this day and age, there is a lot that can be done to prevent users from falling victim to a phishing attempt.  First and foremost, users need to understand what they are looking for so that they can ‘see it so that they don’t click it’.  While signs can be subtle, the National Cybersecurity Alliance has provided eight tips on how to clearly spot a fake phishing email:

  1. –       Email contains an offer that is too good to be true
  2. –       Email contains language that is urgent, alarming or threatening
  3. –       Email contains poorly crafted writing with misspellings and bad grammar
  4. –       Email is very generic and not personalized to you as the user
  5. –       Email requests your personal information
  6. –       Email requires you to click on a link or attachment
  7. –       Email contains an odd business request
  8. –       Email address looks odd or unidentifiable

 

While these are not the only identifiable characteristics of a phishing email, these are among the most common.  The main takeaway here is that if you recognize an email as “phishy”, make sure you avoid it and report it.

Report Phishing

So, you think you have been phished?  Recognizing the fake email is the most important part of a phishing attempt.  Once a user has identified the phishing expedition, reporting the email to your IT manager or security officer can help ensure others do not fall victim to the same attempt.  Some companies may even have a built-in plugin as part of their email application to maximize the ease in reporting.  The most important thing here is NOT to click on any links.  After reporting, ensure the email is deleted and does not exist on any of your user devices.

Another important aspect of reporting is to ensure users report a phishing attempt even if they have fallen victim.  Sometimes a user does not realize they have been phished until they have clicked on a link or opened an attachment.  In these instances, users need to feel comfortable and empowered to reach out to their IT contact to report the phish so that the IT team can investigate and remediate ASAP.  This communication can minimize the damage and spread of the malware or other threats that may have been a part of the email.  This reality also highlights the importance of investing in a security tool that can minimize the impact of a malicious email.

Invest Against Social Engineering

The reality is, even with cybersecurity awareness training, users are still going to fall victim to clicking a phishing link.  As a result, it is important for organizations to explore their options to minimize the impact.  Here at Conceal, we are able to isolate a user’s session when they click on a malicious link, keeping the harmful content from ever accessing your organization’s network.  Through the investment of Conceal, you can protect your users from malware, spear phishing and browser-based cyber threats with clientless, zero-trust remote browser isolation.  To learn more, request a demo with one of our experts today!