Phishing – More Dangerous Now Than Ever

IT phishing concept August Blog 2

Phishing attacks are a topic worth returning to time and time again—not only because they are incredibly common, but also because there is so much potential harm that can be done. Today, with so many people working from home, the threat landscape has evolved yet again and the risk is greater than ever.

Remind Me, What Is Phishing Exactly?

In a phishing attack, a hacker or cyber criminal “casts a net” by sending fraudulent emails to a large number of potential victims. Within this email are usually links, downloadable attachments, or requests for information. These features are the “bait,” and the attacker needs only one person to be either careless or uninformed enough to download malicious software onto their work computer.

In some instances, the emails can be easy to spot. Maybe it’s the classic “I’m a long lost prince. Send me money and I’ll return it once I’m back in power,” email. No one is falling for that these days.

Other times, they can be quite realistic and look almost exactly like an email officially from a large company like Microsoft, Salesforce, or Amazon. Once you click on a fraudulent link and enter your login information—fake password reset links are common—the attacker has won.

Spear Phishing Vs Phishing

While a standard phishing attack casts a wide net—targeting large lists of emails or everyone at a particular organization—spear phishing, on the other hand, is a more methodical, targeted approach.

In a spear phishing attack, a cyber criminal takes time to do research, gather information, and find the contact information for a specific target. From here, they will craft a tailored message, usually still an email, and try to trick this individual into downloading a file or providing login information.

There are a number of tactics, ranging from a fake email from IT support expressing faux-concern about an imminent threat to a coworker asking for some help with a task. Though this type of attack has fewer targets, the messaging tends to look authentic and they are more likely to succeed.

How to Identify a Phishing Attack

Avoiding falling victim to a phishing attack really comes down to doing your due diligence. Some are easy to detect—the “long lost prince” email, for example—but others may be cleverly disguised.

First, ask yourself, “did I solicit this email?” If you did not request to change your password, your Microsoft, WordPress, Salesforce, or any other accounts should not be prompting you to do so. These emails also often say “If this wasn’t you, click here to change your password.” These messages are typically fake as well. A real alert from a service provider will suggest that you go to their site and change your login information securely the way you normally would.

Another scenario could be a fraudulent email that looks like it is coming from a coworker. If you get an unexpected email asking for personal information, all it takes is a quick phone call to verify its authenticity.

In either case, the important next step is to report the occurrence to your IT person. If you are working with The Millennium Group, we make it quite easy to reach out and will handle everything from there.

The question “What to do after you click on a phishing link,” is simple: Call IT support immediately. It’s possible that any harm can be undone, but it is important to act quickly.

How To Prevent Phishing

Particularly in the age of COVID-19, where so many are working from home on potentially unsecured networks and distant from management and IT support, training and a culture of vigilance are your best tools.

It is a common occurrence for an employee to get lost in their work and fall victim to a phishing attack because they aren’t thinking about the risks. Emphasizing this repeatedly to employees is an obvious and effective way to raise alertness on the issue. There is no need to be alarmed, but everyone should be vigilant.

Since cyber security is one of our specialties, The Millennium Group can help provide the training that decreases the likelihood of a security breach. Your first line of defense is your workforce itself, so they should be equipped to handle themselves and their security.

Another useful tool is “fake” or test phishing attempts that are sent by you or your IT support provider. In these exercises, emails that have telltale signs of phishing attacks will be sent to various employees. If they report them as phishing, success! If not, there is no harm done and you have a new opportunity for training.

Whatever structure your company is currently operating under—working remotely, in the office, or a hybrid model—there is always an opportunity to mitigate risk. The Millennium Group can help.