In March of 2017, Google and Facebook confirmed they fell victim to a massive phishing scam.
A man named Evaldas Rimasauskas posed as a manufacturer and was able to deceive Google and Facebook for nearly two years (2013-2015). All it took were some well-written emails and seemingly official invoices to con $100 million out of two of the most popular domains in the world.
Unfortunately, Google and Facebook are not isolated cases. Phishing scams have become very common and increasingly difficult to detect. While it's impossible to avoid phishing scam attempts completely, there are ways to identify them and save your organization from costly errors.
Phishing is a type of cyber attack where someone attempts to steal your money, your organization’s money, secure information, or your identity by getting you to reveal sensitive information like passwords, credit card numbers, etc. People who conduct phishing attacks are considered cybercriminals and they often impersonate reputable companies, friends, or coworkers.
Phishing attacks are usually not conducted on one person, but rather as mass campaigns. It’s likely you’re not the only one at your organization who received a phishing email. Scammers will send out hundreds or even thousands of phishing emails. While most of these attempts are unsuccessful, at least one person “takes the bait”.
When you take the bait, scammers will be able to install ransomware or other programs that can lock you out of your data. According to the Federal Trade Commission, these ransomware installations can even spread to the entire company network. If you share passwords, scammers will have access to all your sensitive accounts.
Let’s look at some signs of a “phishy” email.
Here’s an example of a phishing email I recently received:
Sender: mattwebbthlks@hotmail.com
“The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours.
{link here}
The US Postal team wishes you a wonderful day”
First of all, I knew not to press the link, because I wasn’t waiting on a package from USPS. But what if you are waiting on a package?
Another big red flag is the sender address. Always pay attention to who the email came from. Sometimes it will be easy to detect, but other times it won’t be. A reputable company like USPS will most likely not be emailing you from a personal email address. If USPS needed me to confirm my address, they would not email me through a Hotmail account.
Phishing messages will often leave you confused. The email includes a very urgent call to action with a time frame, but doesn’t explain why they give that time frame. What happens if I don’t confirm within 12 hours?
Lastly, they did not end their well wishes with a period. While this may seem trivial, a reputable company will rarely, if ever, make grammatical mistakes in their communication.
If an email seems even slightly suspicious or inauthentic, take a few moments to think before clicking into any links or giving out any personal information. Always check links for authenticity and ensure websites requesting payment information are secure. You can also expect emails from reputable companies to be consistent with that company’s brand and uphold a certain writing standard.
Even if you think an email may be authentic, always take the necessary precautions before clicking any links or opening attachments.
If an email appears to be from a coworker, you can go straight to the source to inquire about the legitimacy of the request you’ve received. Do not reply to the email, but try to have a conversation either in person or over the phone.
If the email asks you to click on a link, Microsoft recommends hovering your mouse over the link before actually clicking on the link. You can then look at the address that pops up and “ask yourself if that address matches the link that was typed in the message.” If it does not, the link is likely a scam.
You can also ask your manager or another coworker to look over the email with you. Maybe they will catch something you didn’t.
When you know you’ve received a phishing email:
Make it a priority to teach your employees about common phishing attacks and how to identify them. You can even make phishing training part of your new hire orientation, so employees feel prepared from day one.
To secure sensitive information, ensure all employees have two-step authentication for their workplace accounts and regularly back up their data. In case a phishing attack is successful, securing data outside of your network can save your organization from total loss.
You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources: