Recently I came across an online plea for help from someone who fell prey to a phishing scam. He said someone claiming to be the company CEO sent him an email asking him to buy Google Play gift cards for a bonus and then send him the details. He was out sick that day, the CEO is off-site a lot, and he didn’t suspect this was a scam. He bought the cards and sent the scammer all the details. It wasn’t until the scammer asked for a second batch of cards that he realized it might not be the CEO. At that point he called the office only to discover it had been a scam all along.
While I didn’t see that phishing email myself, I noticed one that sounded similar in my own spam filter that same week. It was even supposedly signed by “Jeremy” (the President of PCS). These just happen to be one type of phishing attempt, but phishing comes in many flavors.
Phishing is a broad term for fraudulent communication usually designed to trick recipients into opening infected attachments, typing sensitive information into fake websites, or sending money or gift cards to hackers. It’s a form of social engineering, often using email but can also include texts or instant messages. Scammers generally try to imitate a trusted colleague, friend, family member, or business to appear legitimate.
It’s useful to have spam filters and junk folders to deal with unwanted emails, and thankfully we can expect most of these bad emails to be blocked before they get to us. But for the few that get through, it pays to be suspicious.
Red flags include emails coming from unknown domains, emails sent outside of regular business hours, requests that wouldn’t normally be made, links to misspelled websites, or urgency with a request not to verify. The phishing email I saw in my own filter included misspellings, poor grammar, and punctuation/capitalization errors, although these days many phishing attempts are written very well and can’t be identified this way.
The best way to deal with phishing attempts is to be suspicious of incoming emails. If we ask ourselves, Is this a normal email or a normal request I should be receiving? it will usually tell us whether an email is safe, or whether it should be reported or deleted. When in doubt, verify in person or use a known good phone number to confirm the request. We have a job to be suspicious of incoming emails and prevent security breaches. In today’s world, we must be think about what we’re clicking on and what the results could be.
At PCS, we use KnowBe4 internally to provide security awareness training for our employees. We also offer this same critical training to our clients. Since it’s much easier for hackers to trick people into sharing a password than actually hacking a computer, it’s very important that employees know how to identify phishing attempts and other potential social engineering attempts so that we can best prevent security compromises. Periodic training is the best way to stay up to date on current trends and to learn what to watch out for so we can all stay safe and protected.
If your business needs training for your employees or if you’d like some advice on where to begin, don't hesitate to reach out to us.