In Today’s world, a phishing attack is one of the most successful means a hacker uses to gain access to your data.  It’s not all that shocking given the improvements in technology, tools and education regarding securing your physical environment.  They have to find a way around – if they can get just one of your employees to give up their credentials, it could be just the keys to the kingdom they need.

Below are just a few examples of recent articles discussing the success of Phishing campaigns:

Forbes – 23% open Phishing emails…..11% open AND click: 

Forbes.com – Lisa Brownlee – Security simulated phishing attacks yield 37 percent return on investment

CIO Insight – 84% of more than 300 IT Leaders polled estimated phishing attacks had penetrated their defenses:

CIOInsight.com – How spear phishing puts businesses on the hook

Wired – White House employee clicks on phishing email link and allows hackers in to several networks: 

Wired.com – Hacker lexicon spear phishing

So, what can you do (or NOT) to protect your company against attacks?  We prepared a list of 5 Do’s and 5 Don’ts to help you out.

phishing-1

 

Here are 5 DO’s:

Review the email for grammar and spelling
– While many attackers have improved over the years, some attacks still have pretty noticeable misspellings and other grammatical errors. Abnormal spacing and formatting may also be a sign of a phishing email.

Inspect the links
– Attackers will embed malicious URLs into seemingly legit ones within their emails. Use the mouse to hover over the hyperlink to determine if there is an embedded URL.

Validate the request
– If you receive an email from a fellow employee or vendor requesting information, pick up the phone and verify the request. Always use contact numbers from external websites – NOT the ones included in the potential phishing email.

Alert the appropriate personnel
– If you think you have received a phishing email, getting it to the proper person in the IT department is critical. They may be able to block others from receiving it or block access to any links that were included in the phishing email. Don’t hesitate to forward suspicious emails to the appropriate IT staff!

Use common sense
– If a vendor of three years has never asked for your password information through email, they probably wouldn’t be starting today. If a coworker of two years has never sent you an attachment and sends you one today and tells you to enable macros, don’t. Question requests that are outside the norm and use common sense when fulfilling requests.

Here are 5 DON’Ts:

Don’t trust the sender
– It doesn’t take any time or skill to “spoof” or impersonate the sender of an email. From the president of your organization to the President of the United States, attackers can assume the identity of anyone.

Don’t be so quick to reply
– Sometimes attackers are just looking to find valid email addresses within an organization or to identify the naming convention used within an organization. By replying to an email like this, even if it’s only to give the would-be attacker a piece of your mind, you only help the attacker determine that the email reached a recipient.

Don’t open that attachment
– Attachments that were once thought of as harmless (Word,Excel, PDF) are now being used to launch various types of attacks against end-users. If you weren’t expecting that attachment – don’t open it!

Don’t give out personal information
– Most companies will not ask you to transmit personal information, account information, or account passwords via email. Any requests similar in nature should raise suspicions and be reported.

Don’t be embarrassed
– These attacks work, which is why we’ve seen an increase in the amount of phishing attacks. Don’t be embarrassed that you fell for it. Don’t try to fix it yourself. Don’t assume you’ll be in trouble. Alert the appropriate IT personnel immediately and wait for further instructions. The faster they become aware of the issue the greater chance they can reduce the number of users that will be affected.