A pipeline is shut down for a week, resulting in delays in delivery of 20 billion gallons of oil. A large meat supplier halts operations at nine processing plants, causing shortages on supermarket shelves. 100 terabytes of intellectual property are stolen from a major media company.
Besides being devastating to the affected businesses, shareholders, and their customers, what do these all have in common? All were cybersecurity compromises that began with the simple action of an employee clicking on a link in a phishing message.
The big compromises like those listed above may get the headlines, but phishing is an issue for all organizations and individuals. According to a 2021 FBI Internet Crimes Report, phishing was the number one crime reported over the past five years., Even worse, over the past three years it has grown exponentially with more than twice as many complaints received in 2020 compared to 2019.
These are sobering statistics. If we, collectively, approach this as an opportunity to create change, we can recognize and defeat phishing emails to stop attacks in their tracks.
First, to recognize phishing we need to know what it is and what to look for. CISA describes phishing as a form of social engineering that uses “email or malicious websites to solicit personal information by posing as a trustworthy organization.” In short, the phishing message is the bait to get the recipient to provide some piece of information that they ordinarily would not share. This information could be their social security number, bank account information, or their user ID and password. The message will often entice by offering something free, or by suggesting some urgency, with phrases like “Act now or your account will be closed!” or “There was a problem delivering your package. Click here.”
To detect a phishing email, you can look for the following signs:
Sender’s email address: The email address doesn’t match the actual company, though it might be close (e.g. amazn.com instead of amazon.com).
Generic greetings and/or signature block: The message is addressed to “Valued Customer” or “Sir/Madam” rather than by name. There is no contact information in the signature block.
Spoofed links and/or website URLs: Examining the URL carefully will show the location isn’t the expected destination.
Poor spelling, grammar, and/or layout: These may indicate phishing, but beware, the bad guys are getting a lot better at this!
In summary, to be safe and help prevent phishing attacks, be cautiously skeptical of any message you weren’t expecting; that isn’t coming from a trusted, known source; that is offering something free (or is asking for urgent action); that is asking you to open an attachment or click a link; or, that frankly just doesn’t seem right.
When in doubt, don’t click. Send it along to your IT or cybersecurity team and ask them to take a look.
Being aware of and defending against phishing is one of the most impactful ways you can ‘See Yourself In Cyber.’ Keep an eye on the CIO Council’s Twitter and LinkedIn accounts throughout the month of October for more Cybersecurity Awareness Month features.