In my previous blog post, I wrote about some new phishing tactics including Spear-phishing and SMiShing. Today I want to provide some tips on how to stay protected from these phishing attacks.
Tips to stay protected from Spear-phishing and SMiShing
Clicking a link is only part of the threat; phishing can be part of a larger attack.
1. If you are an organizational leader, provide security awareness training for your staff, with specific emphasis on anti-phishing awareness. If you are an associate, take such training to ensure you know how to keep the organization you work for secure.
2. Do not click on links within your email, especially if they allude to the need for a log-in or personal information. It is always a best practice to go to the actual website of the trusted company by entering in the URL manually, then logging in as you normally would. If this call is legitimate, there will be a message in your account.
3. Call the number on the official site to verify the request – do not call the number provided in the email or letter. These are often fake numbers complete with IVR systems to match the company and operators who are part of the scam.
4. Think logically. If you receive an urgent call to action that does not make sense or seems random, verify the urgency before acting on any requests. These attackers want you to act fast, so they provide scenarios that equate to emergencies. There have been instances of individuals receiving “bills” from companies they haven’t purchased from, and they click the link in curiosity. Don’t do it.
5. Do not post personal information on blogs, social networking sites, and other public websites through which attackers could potentially locate your information to use as a legitimacy factor.
6. Recognize the Signs of a Phishing Email. They are not always easy to spot. Here are some items to look for:
- Misspellings in the company name, URL, or email copy. (for example company.1.com or company.net vs company.com)
- A sender with a long email address or an unlisted recipient, or it is from your email.
- Urgent calls to action (an abnormal amount of money as your bill, unpaid statements that you know were paid, threat to deactivate your account, etc.)
- As a general rule, no legitimate organization will EVER ask for you to respond with your password or other personal information in an email