Cyber attacks such as the Anthem breach, the Home Depot breach, and the Target breach are becoming almost commonplace. Major cyber attacks compromising information about millions of people often start not with a bang, but a whisper – a “phishing” or “spear phishing” email through which an attacker tries to acquire login credentials that can be used to launch a sophisticated and crippling attack. Over 90% of cyber attacks take the form of, or start with, a spear phishing attack, and phishing attacks are also very common. These attacks happen both in the office and at home. Phishing and spear phishing attacks can happen at any time, and can target any person or employee.
What is “Phishing?” In a “phishing” attack, an attacker uses an email sent to a broad group of recipients (and not targeted to a specific group) to impersonate a company or business in an effort to get you to reveal personal information or login IDs/passwords, or to install malware or exploit a security hole on your computer. It generally uses an official-looking email and website to gather information, and often contains the logo(s) of the company it is impersonating.
What is “Spear Phishing?” In a “spear phishing” attack, an attacker uses an email tailored for a specific group of recipients (e.g., a group of employees at a specific business), often impersonating an individual such as someone from your own company or business, in an effort to get you to reveal personal information, login IDs/passwords, to steal money or data, or to install malware or exploit a security hole on your computer.
How do I spot a phishing or spear phishing email? Look for one or more of these key indicators that an email in your inbox is actually a phishing or spear phishing attack.
- The email has spelling or grammatical errors. A phishing or spear phishing email often contains spelling or grammatical errors, and does not appear to be written by a business professional.
- You do not recognize the sender’s email address. If you get an email asking you to click on a link or open an attachment, look carefully at the email address of the sender. Be especially alert for email addresses that are similar to, but not the same as, your company’s email address (e.g., “joe.johnson@microsoft.co” instead of “joe.johnson@microsoft.com”).
- The email contains links that don’t go where they say they do. Before you click on a link in an email you don’t recognize, “hover” your mouse cursor over the link. A pop-up will appear showing you where the link will go. If they don’t match, it’s probably a phishing or spear phishing attempt. In this example, this innocuous-looking link actually goes to a malicious website:
- The email asks you to open an attachment you don’t recognize. Many spear phishing emails ask you to open an attachment or click on a link. If an email you don’t recognize asks you to open an attachment you weren’t expecting or that doesn’t look familiar, or to click on a link you don’t recognize, don’t click on it or open it, and check with your IT or Security department if you want to know for sure.
- The email seems to be a security-related email, or asks you to take immediate action. Watch out for emails that state that your account will be suspended; ask you to reset, validate or verify your password, account information or personal information, or otherwise ask you to take immediate action to prevent something from happening.
- The email relates to a current news event. Many phishing emails use a current news event, such as a natural disaster or security breach, to get you to provide information, click a link or open an attachment.
- The email contains information from your social media accounts or other public information. Spear phishing attackers will often look at your public social media accounts (e.g., your Facebook feed, LinkedIn profile, tweets, etc.) and other public sources (e.g., Google searches) and use information about you or your friends to make a spear phishing email seem authentic. If an email contains personal information about you other than your name and email address, take a close look to ensure it’s not a spear phishing attempt.
If you think an email you received is a phishing or spear phishing attempt, (1) do NOT click or open any links or attachments in the email, (2) if you are at work, immediately contact your Security or IT department to report it, especially if you clicked on an attachment or link or otherwise took action before you realized this (failing to report it will be much worse, so don’t be embarrassed); and (3) delete the email immediately.