Think you’d fall for a phishing email or text?
Probably not, right?
The thousands of people who fell for a phishing scam this year thought the same thing.
Many think they’re not a target because they’re not an executive, senior manager or someone who has access to important information or money within their company. Receptionists, human resources staff and executive assistants are examples of prime targets in addition to the CEO, owner or members of the accounting team.
Sometimes phishing emails get past email spam filters and other email security tools. They may land in multiple inboxes at the same time, so when one employee figures out that it’s fake and goes to notify their coworkers, it’s too late. Hackers know that the word will spread quickly. So, they’ll sometimes send an email out to an entire organization simultaneously with the hopes that at least one recipient will take action.
Other times, hackers will target one person and use information found on social media to compose an email that would appeal to them and trick the recipient into opening it.
What Does a Phishing Email or Text Look Like?
Phishing messages used to be pretty obvious. They certainly don’t look like they used to look. They come in all forms. Phishing via text is called SMiShing, since it’s done through an SMS message. Both email phishing and vishing often include a link with a request to click on it.
Sometimes there may even be a phone call from someone claiming to be the one who sent the email. This is called vishing because voice is involved. The caller may say they are just following up on the email that was sent to lend credibility to it. The caller will claim to help you by walking you through the steps in the email’s instructions. Hackers or bad actors will go to extensive measures to get what they want.
A common vishing example is someone claiming to be from “tech support”. They say they’re calling to check up on an email or text they sent requesting to click a link or enter a system password for a necessary update. Of course, it’s a scam but the vishing tactic often lends legitimacy to the phishing email or SMiShing text, so many fall for it.
Both phishing emails and SMiShing texts look authentic.
Phishing Emails and SMS Phishing May Include:
- Company logos or names of familiar brands
- A sender from company you do business with like a supplier or customer
- Names of colleagues or coworkers
- A message indicating that you have to take immediate action
- A negative consequence if you don’t follow directions
- A link with a request to click
- An attachment of a commonly used file type
Dangers of Opening Malicious Email Attachments
With phishing emails the danger may be in an attachment. When you open the attachment, malicious software, known as malware, may get downloaded. Malicious attachments are commonly disguised as an invoices, documents or voicemails. Many times malware gives attackers access to your computer to record keystrokes you type and steal information.
What Happens After You Click on a Phishing Email or SMiShing Link?
When someone opens the phishing email and clicks on the bad link, they’re often afraid to say something in fear for their job and embarrassment thinking they should have known better. So they sometimes don’t say anything. Things seem ok. It’s quiet and nothing blew up. So, they think that nothing serious happened.
Why should you care if you clicked or opened a bad attachment?
Because what happens behind the scenes after clicking in a phishing email, or opening a bad attachment can be catastrophic to your organization. You may have given system access to a hacker and don’t even know it. This access is often quiet. Hackers don’t sound off alarms once the recipient clicks or opens the file. Hackers may roam around, studying your company’s network for days, weeks, and sometimes months going unnoticed. They’ll take as much time as necessary to gain information they’re seeking.
What do hackers want?
- Trade secrets
- To Cause disruption
- Company Financial information to steal money
- Personal identifiable information of others to resell on the dark web
Once access is granted, confidential information about clients, employees and others whose information is contained in your computer system are then often being copied and removed quietly by the hacker. This information is later used as leverage for a ransom, embarrassment and sometimes, irreparable harm to the company or a group of individuals.
6 Questions to Ask Yourself if You Receive a Suspicious Email or Text
- Was I expecting this email?
- Is it asking me to do something that feels like it has a sense of urgency?
- Does the sender’s email address and name match up?
- Are there misspellings or punctuation errors in the message?
- Is the way you’re addressed the same as how most address you?
- Is it asking for any of my usernames or passwords?
If you have ever received a phishing email or text in the past and accidentally opened it or clicked on its content, in hindsight, you probably answered yes to one or more of these questions. You probably saw one or more of these red flags and raised an eyebrow.
What to do if You Think You Clicked on a Bad Link
It’s best not to open any unexpected attachments or click links inside emails. The best thing to do when you receive any suspicious emails or texts is to notify your IT team. Even if you don’t click or open attachments, it’s important to inform your tech support team so they can determine if there is an attack on your company. It’s possible that others may have reported the same email, text or vishing attempts. Others may have fallen for the phishing tricks.
If you accidentally reply to a phishing email or click on a bad link, tech support should always be informed immediately.
How to Prevent a Company Breach
Combined with other security tools, ongoing security awareness training along with simulated phishing for an entire organization is the best defense again getting hacked. Continually educating your team about the changing tactics used by hackers is critical so they can be on the lookout for the red flags. An annual training is not sufficient. Strategies hackers use change, so you and your team need to be kept informed.
Who Should Participate in Security Awareness Training
Security awareness training should be scheduled on a regular basis and be required of all members of the company, including executives. Remember, everyone’s a target for phishing. Companies who have security at top of mind will have a greater chance of preventing a hacker from gaining access.
Everyone’s a target when it comes to phishing. Bad actors use a variety of tactics to trick people into opening bad attachments or clicking links to give them unauthorized access. Along with system security measures, security awareness training, is the strongest tool companies can implement to protect their systems from being hacked. Since everyone’s a target, all members of companies, especially executives, should participate in regularly scheduled security awareness training.