We’ve all been targeted in phishing attacks — fake messages from a seemingly trusted or reputable source designed to convince you to click on a malicious link, reveal information, give unauthorized access to a system or execute a financial transaction. During this second week of Cybersecurity Awareness Month, pay extra attention to those emails, text messages and chat boxes coming from a stranger or someone you weren’t expecting — and think before you click!
Many phishing attempts are easily recognizable, like Mark Zuckerberg contacting you personally about a prize you’ve won. If you’re ever in need of a laugh, this guy spent two years replying to phishing emails and then wrote an entire book on his hilarious exchanges with fraudsters.
At this point, phishing is widely accepted as a “given” — part of daily online life. However, attackers keep innovating, finding new ways to social engineer their victims by preying on their natural curiosity, trust and compassion for others. And today, there are plenty of phishing schemes that aren’t so obvious and can potentially dupe even the most cautious online user. For example, highly convincing COVID-19 scams, from Facebook messages from “friends” who’ve fallen on hard financial times to emails requesting proof of vaccination status, are rampant right now.
According to US-CERT, some of the most common — and seemingly legitimate — phishing emails include fake communications from online payment or internet service providers (claiming there is a “problem” with your account); false accusations from the FDIC on violating the Patriot Act (requesting that you to “verify” your identity); and phony communications from your employer’s IT department (seeking passwords or other sensitive information that somebody can use to gain access to corporate systems and data).
Spot Phishing Attempts and Protect Your Digital Identity with These Simple Tips
The good news is that you can avoid most phishing and social engineering attempts altogether with a healthy dose of skepticism and common sense and by following these simple steps:
1. Choose your friends wisely. It’s solid advice in real life — and even more critical in the digital world. If you receive a LinkedIn message or Instagram friend request from someone you don’t know, do not respond, accept or click on any links within the message … which leads us to tip #2.
2. Don’t click on hyperlinks. Never click on a link from an unverified source. And remember, even emails sent from familiar sources can lead to issues: malware, ransomware and viruses can spread by scanning your device for other email addresses, then sending themselves to those email addresses in messages supposedly “sent” by you.
3. Urgent? Not so fast … Many phishing emails and messages attempt to create a sense of urgency, causing the recipient to fear their account or information is in jeopardy. Here’s a real-life example from the Federal Trade Commission: “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.” If you receive a suspicious email that appears to be from someone you know, reach out to that person directly. If the email comes from an organization but still looks “phishy,” reach out to them via customer service to verify the communication.
4. Step away from that personality quiz — and think twice before you post that update. Sure, social media quizzes are a fun way to kill time (who doesn’t want to know their celebrity doppelganger?!), but they’re also an excellent way for attackers to get a hold of your personal details. While taking a seemingly harmless quiz, you may disclose things like your full name, birthday or employer. The same advice applies to your regular social media posts — think twice before you put too much out there. Cyber criminals can use all this personal information to take advantage of you. What’s more, you could be handing them the answers to your security and password recovery questions.
5. Turn off location sharing whenever possible. Attackers can use location-sharing information to craft phishing messages that seem very timely and relevant. For instance, your location is embedded as metadata in every picture you take with your phone. Turn location services off when you aren’t using them to make it more difficult for bad actors to view this information.
6. Protect your personal computers and mobile phones. US-CERT recommends installing antivirus software and personal firewalls on your personal devices and making sure they’re set for automatic updates. It’s also essential to keep business and personal use separate — especially if you’re working remotely: don’t use your corporate device out of convenience to browse the internet, online shop, scroll through social media or check personal email.
7. Take back control of your spam folder. While not every message that falls into your spam filter is a phishing email, many of them are. Take some time this month to clean up your spam (or set up filters to keep junk out of your inbox), browse this helpful list from CISA on reducing junk mail and say goodbye to those bogus business opportunities, chain letters and too-good-to-be-true diet scams.
8. Protect your online accounts with multifactor authentication (MFA). According to National Institute of Standards and Technology (NIST) guidance, the passwords and passphrases you use should be as long and complex as possible — and never used in more than one place. But if you think passwords alone will protect you, think again. Many digital accounts such as email, online banking and social media give you the option of enabling MFA to add an extra layer of protection to the sign-in process. MFA typically combines at least two of the following:
- Something you know: a password, PIN or answer to a security question
- Something you have: a mobile device
- Something you are: a fingerprint or facial recognition
Combining these different types of identification can help to ensure you are who you say you are. Need more convincing? A study conducted by Google, New York University and University of California San Diego found that using MFA blocked 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks on users’ Google accounts. Reference CISA’s MFA tip sheet for more details.
To test your ability to spot a “phish,” check out these real-world examples of phishing emails, and some other helpful steps you can take if a phishing attack has targeted you. And come back soon for week three of Cybersecurity Awareness Month to explore stories from our team about why they chose cybersecurity as a career — and how collaboration is key to continued innovation.