5 Ways to Spot Phishing Scams Aimed at Your Workforce
Like most employers, you likely need your workforce to communicate freely and operate somewhat independently. The fact that you can’t control your employees’ every move makes threat awareness education imperative. There are many threats to information security that human beings enable. Humans are particularly vulnerable to the threat of Phishing.
According to ISACA, Phishing is a type of attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering. Phishers scam employees by enticing them to activate a link that results in malware loading to their devices. Alternatively, phishers may trick the employee into responding to a prompt to enter sensitive information (e.g., user id and password). In either scenario, employees believe they are responding to a legitimate request, when they are not. Phishing may occur by email, text message, or social media.
How can employees spot and avert phishing scams? Ralph Spencer Poore, an ISSA Distinguished Fellow and ACM Senior Member with over four decades of information security experience, shared these 5 telltale signs of a phishing attempt:
- Typos and Word Choice Issues: The text or graphics displayed in the request contains errors (e.g., misspellings, poor grammar, or incorrect punctuation). Who knew that what you learned in English class could protect you from cybercrime?!
- Hidden Links:The displayed hyperlink isn’t the same as the actual link [by resting the cursor on the hyperlink (but NOT clicking it) you will see the actual URL to which it would take you].
- Foreign Web Addresses:The link includes an address that ends with a country code with which you don’t do business, e.g., “RU” (Russia), “CN” (China), “IR” (Iran), or “KP” (North Korea). [www.chasebank.kp for example]
- Vague or Incorrect Information: The content of the message contains either incorrect information (“notice about your Visa card ending 1234” when you don’t have a Visa card, for example) or is overly general (“this is your credit card service center; please click through for an important message about your account”).
- Unexpected Messages: Any message you didn’t expect to receive, for example, from a help desk when you have not requested help or from a vendor with whom you don’t do business.
The preceding points should help you recognize a potential phishing attempt. But they are just signs. Some phishing attempts (usually called “spear phishing”) are uniquely targeted and well crafted. Vigilance is the best defense. So train your workforce to look out for these signs and “Don’t be too quick to click!”