Q: It seems like every day I hear about a new security threat. With phishing scams on the rise, I want to educate my SMBs on how to avoid it. Most of my customers have only the most basic knowledge regarding security practices, so I want to teach them in a way that won’t overwhelm them with information. What are the most important things my customers should know about phishing attacks?
Congratulations on taking the next step to enabling your SMB customers for success. Knowledge is the best way to avoid falling for a phishing scam, so use current news stories to help start the conversation with your customers about the importance of email security. Most phishing victims don’t realize what has happened until it’s too late, so giving SMBs context for the threat will help prevent them from being the next victim.
To find out more about how to recognize a phishing scam, we consulted Senior Partner Support Engineer, Paul Hanley. Paul works closely with our partners and stays up-to-date on all the latest security threats and trends. His tips and tricks can help your MSP employees and SMB customers learn how to avoid phishing attacks.
What is phishing?
Phishing is a way for hackers to gain protected information, tricking people into giving away bank credentials, social security numbers, passwords, and more. That’s why phishing emails are considered a main vehicle for identity theft. They look legitimate, and most people don’t realize it’s a scam until it’s too late. Phishing can be categorized in two different ways:
-General phishing is sent in a blast for multiple people and acts like a boilerplate trying to attract someone to click and enter pertinent information.
-Spear phishing is more direct, and a specific person (or specific group, such as executive, HR, or finance staff) is identified and targeted. The person of interest is sent an email from someone they trust asking for sensitive information. The majority of the time, the email comes from high-profile individuals, such as the CEO emailing someone in the finance department for account information.
Phishing isn’t necessarily as profitable as ransomware, but the value isn’t in the money—it’s in the information. The social security numbers, passwords, and any other information acquired in a phishing attack could be sold to someone else. Phishing attacks can cause more wide-ranging damage than ransomware because your information can be used to give someone a new identity or open up lines of credit in your name.
Recognizing phishing attacks can be quite difficult because they usually look like emails coming from a trusted source. But there are some warning signs that give it away if you know what to look for.
- The email will be asking for personal information. It might say something like your password has expired, please update it here by clicking this link (directing you to a spoofed website).
- Most phishing scams have grammar errors. This could be one misspelled word or random capitalizations in the emails. The errors are usually very subtle, and often resemble something that would have come from a trusted source.
- Many phishing emails will have the proper banners edited into the emails to make them more convincing, but they may be one or two shades off. This can trick users into thinking they are corresponding with Bank of America, Quicken Loans, or even the Federal government.
- The hyperlink goes somewhere else. Anyone can change the hyperlink in an email to say something completely different. Before you click, hover over the link to check where it will really take you.
- Beware of anything before the forward slash. Adding periods or dashes before the forward slash tricks people into clicking the link because it looks like the right URL at first glance. For example http://payapl.com-stz.info/ isn’t going to paypal.com. By adding periods or dashes before the forward slash or using a misspelling that’s hard to spot, it takes users to a different domain.
When it comes to phishing, the user is both the strongest defense and the weakest link. Hardware and software can only go so far to protect your systems, but if the user is knowledgeable, phishing can be more preventable.
Everyone receives phishing emails, so protecting yourself from an attack is important. Follow these best practices to reduce your chances of falling for a phishing scam.
- Keep phishing training up to date. Have your SMBs and employees take phishing training annually or biannually to familiarize themselves with threats. Educated users are harder to trick.
- Don’t click on any suspicious emails. If you’re not expecting an email—don’t click! Instead check with the individual it came from (e.g. contact them on the phone or send them an instant message) and confirm the request before sending personal information. If the email is from a bank or another organization, navigate to their website in a separate browser to make sure you are going to the correct domain.
- Take the time to look at the details. Phishing scams are so detrimental because if you miss one simple spelling error or don’t check a link, you could be in trouble. Most scams come from places you would normally trust, causing you to fill in the information without thinking about it. This is how cybercriminals prey on your trust.
- Keep your information compartmentalized within your organization. If your employees don’t need information to complete their job, don’t give them access to it. Running your business on a less privileged basis will help minimize the chances of leaking confidential information.
Avoiding phishing scams from happening is no easy task. The best thing you can do for your SMBs is to educate them. If you educate them, they will be more likely to take the necessary precautions when they receive a suspicious email, and that will save both you and your customers time and money in the end.
Ask Intronis is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between. Submit your questions by emailing AskIntronis@intronis.com.