Have you ever received a communication like this?
- We’re reaching out to you regarding a suspicious charge that has been placed on your PayPal account. Please click the link below to approve or dispute this charge. Your account has been frozen until you complete this process.
Or maybe this one from someone posing as your boss:
- Hey, Bill, are you in the office today? I need you to make a payment for me. We’re late sending it out, and the client is really upset, so it needs to get processed right away this morning.
Problem is, you don’t have a PayPal account. And you just walked past your boss in the hallway. Those are two red flags telling you NOT to click on those links. But even if you don’t make that click, somebody else probably will. That’s how phishing communications work: Cast enough of them out there through email, text message, and phone call, and a cybercriminal will get someone to bite.
You can often recognize phishing communications by their sense of urgency. They want you to do something right away or else. Language like, “Act now or your account will be suspended immediately,” puts the fear factor front and center. Another tell? Money is involved. These may seem like obvious signs, but we sometimes rush past common sense during busy days filled with multitasking, and that’s what scammers are counting on.
Several ways to phish
When it comes to going after businesses and their employees, more targeted phishing communications take sharper aim and are more sophisticated. Several popular methods of phishing include:
- Spear phishing
Spear phishing, vishing, and smishing
Spear phishing emails—as well as spear phishing voice calls (vishing) and spear phishing text messages (smishing)—attempt to get users to hand over their personal information. Additionally, spear phishing, as the name suggests, is much more targeted – in this case, it’s typically to lower-level employees.
For example, a cybercriminal has hacked into a co-worker’s email account and found your email within that account. The criminal sees conversations between the two of you, so the criminal sends you an email pretending to be that co-worker by masking that co-worker’s email account:
- Hi Rebecca, I had to have my car towed to a repair shop this morning and I forgot my wallet at home. I need to pay the tow truck company before they will fix my car. Can you Venmo me $100 to cover the cost? I’ll pay you back when we get paid Friday. Here’s my Venmo username…
Another spear phishing example: The cyber attacker has created an email with your company’s logo in the header. The email address includes your company’s name. It says:
- Hi Traci, Thanks for being such a valued employee at Acme Sporting Goods. We’re celebrating our team members this month and we’re holding daily giveaways, and you are today’s winner! To claim your new 40-gallon Yeti cooler, click on the link below. Congrats!
Once you click or send that Venmo cash – they’ve got you.
This type of phishing is particularly sly and highly targeted to high-level executives; typically, ones who hold significant financial or sensitive information. These emails are often sophisticated and well-crafted and are designed to trick the recipient into providing sensitive information or transferring money to the cybercriminal.
They can come in the form of an email or text message, and might look like the examples below:
- Hi Michael, I am a customer service representative at Amazon, and I am making you aware that there is an issue with your account. Please click the link below to resolve this issue and assure that your account remains active.
Or this one, from someone masquerading as an accounts payable representative from your OWN company:
- Joe, accounting needs more information regarding your team’s expense reports. Please click on the link below to fill out the needed information so we can stay on track and get those processed.
Once the recipient clicks on the link, they may be taken to a fake landing page that mimics Amazon’s website or mirrors the company's website. Once there, the cybercriminal might request login information or other credentials and personal information. The attacker can then use this information to access the recipient's real accounts and steal money or information.
It’s important to remember that these types of phishing scams are continuously evolving and changing in terms of their format and content, and it's important to be vigilant and skeptical of unsolicited emails, especially those that ask for personal or financial information.
Educate your employees
Even a proactive business that has invested in the latest technology to combat cyberattacks, one that has employed IT professionals to help keep their computer systems safe and secure, is still at risk. But it’s not because their firewalls are faulty. At the end of the day, it still comes down to the human factor. All the safeguards and computer technology still can’t stop an employee from clicking on a phony link in an email.
We get busy. We’re in a hurry to finish a project. An office mate diverts our attention with a question. We’re hungry and we want to get to lunch. There are all sorts of circumstances to distract us. And what looks like a valid email at first glance can quickly turn into a major data breach when a preoccupied employee clicks on a bogus link.
Education and routine exercises are key. Keep these tips in mind and pass them along to your employees:
- Slow down. A brief pause before clicking on a link in an email—an extra five or 10 seconds—could save your company from losing years of private data.
- Learn more. Understand business email compromise and what it can look like and stay on top of password best practices.
- Be suspicious. Especially if they’re asking for money or requesting something out of the ordinary, even if the email appears to be sent from a co-worker, manager, friend, family member, etc.
- Verify the request. Call the person who sent you the email or text to confirm and clarify their request, but don’t use the phone number in the email or text – it’s likely fake, too.
- Check the email address. The email may have your boss’s name on it, but if you look at the email address, it may not have your company’s domain (the part that comes after the @ symbol) attached to it.
- Hover over links with your mouse. When the address becomes visible, you might see that it is not the email address of your manager or your company’s website.