Stupid Simple Security Tips #19 – Gone Phishing
Of the countless threats to data security, one the most widespread and successful is also one of the simplest: phishing.
Phishing is a fraud that exploits human frailty rather than technological weak points and accordingly has thrived in the era of COVID — email attacks have recently relied on pandemic scams, and phishing sites jumped 20% in 2020.
While IT tools can limit phishing exposure and mitigate damages, the most effective defense is awareness – so let me drop some knowledge that might keep you safe.
What is Phishing?
Phishing scams use emails disguised as legitimate requests to extract info or bypass security. Digital con artists pose as trusted contacts who direct you to click links, download files, or submit credentials that are then used to attack-related accounts and systems.
The “con” in “con artist” is short for “confidence,” and that’s just what these tricksters use against you – sending messages crafted to seem genuine with logos, language, and links that lower your guard and suspicion.
Messages might offer fake vaccination information or pretend to be an email provider/employer/bank/app/social network urgently confirming activity… but are traps waiting to install malware, or ransomware or simply making off with your passwords.
Don’t Take the Bait!
Sophisticated email filters and updated software will thwart some attempts. Proper password management, data encryption, and file backups can temper catastrophes after the fact…but the main line of defense against phishing is YOU!
These attacks are passive and don’t work without your compliance, so it’s critical that you learn to discern iffy messages and defer to your Spidey Senses if anything seems rotten.
There are three crucial tools that can protect you from phishing emails. Cybersecurity training, simulated phishing and self-learning email security platforms designed to quickly detect nefarious emails slipping through traditional anti-phishing defenses. And it just so happens those are 3 of our 8 security layers included in the only turnkey security solutions built for solo and small law firms, Security+.
The most common advice when assessing suspicious messages is to PAUSE BEFORE CLICKING.
Any requests that feel odd or out-of-the-ordinary should be scrutinized through cynical eyes: is the sender known, did they address you personally, is the branding off, is the language/spelling/tone professional, is a request unusual, are the URLs clean, or do they contain extra characters (and do links look the same when you hover over them)? If you doubt any of these aspects, find a separate, secure way to verify the communication.
In fact, phishing fraud has become so sophisticated and spoof websites so tricky to spot that my advice these days is JUST DON’T CLICK!
If a vendor or service provider has an urgent need for information, they will also post it to your account. Rather than following a link or freely submitting info via email, follow your usual channel to securely log in and check for messages. If it’s a friend or an employer reaching out, write them separately instead of simply hitting “reply.”
Keeping it Reel
Often when I lecture on phishing, I’m met with 🙄🙄🙄s that say, “I’d never fall for that!”…but you’d be surprised. Tech titans like Google and Facebook, political parties, and major corporations have all succumbed to such attacks.
All it takes is one slip-up by a single employee during a busy day, and all your data (or dollars) could be compromised or lost.
Updating system security offers a layer of protection, but with phishing, the best defense is education…which is why we include staff training as part of our complete protection. Be wary of any IT advisor who ignores the human element.
Have you encountered any particularly tricky phishing attempts? I’d love to hear them (and warn others) – send me your story with the subject line “Phishing.”