What is Phishing and Why Should I Avoid it?
While the security landscape is always changing, one trend that remains consistently top of mind is the threat of social engineering. According to the 2018 Verizon Data Breach Investigations Report, social engineering is the third most prevalent attack type in terms of volume – and of all those attacks, phishing makes up for 98% of the total.
Phishing is a fraudulent attempt made by a cybercriminal to obtain user information while disguised as a trusted source. Have you ever received one of those emails where you can redeem $1,000,000 “RIGHT NOW” by clicking on the link? Yeah, that’s a phishing scheme and we’ve all experienced it. And while the threat of phishing isn’t new, the sophistication of the attacks is. Phishing continues to appear in over 90% of all data breaches because hackers have advanced their campaigns to feel authentic, tricking informed users without even realizing.
No More Phishing!
We are in the midst of the holidays; our inboxes are filled with more emails than ever and the digital advertisements seem to never end. Hackers are aware of this influx of information on the end user and capitalize on the opportunity when we do not have the time to check the security credentials of a website twice. How can you truly know which of these sites are legitimate and which are fraudulent? That’s why we thought now was an opportune time for 5 quick tips to help you prevent phishing schemes during the holidays and all year-round:
Tip 1: Focus on Education
Most users in a phishing scheme do not fall into the trap, which is great news from a security perspective. However, the average success rate of a phishing campaign remains at about 4% – and it only takes 1 person for malicious phishing to be effective. If that person is an employee in your business, you now face the risk of malware downloaded inside your company’s firewall. Or if that user is yourself, you now face the risk of the cybercriminal accessing your personal applications. For both circumstances, education on the phishing landscape is the first step.
Consider internal trainings with your organization, running internal phishing tests with your employees to see who clicks, staying on top of the latest phishing attacks in the news, and understanding what the new techniques look so you’re aware of the tactics before they happen to you.
Tip 2: Investigate the Source
While phishing can take form in a variety of mediums, even including password managers, the most common form of phishing is through email – which accounts for approximately 96% of the total. There are a few easy practices to determine whether an email is legitimate or fraudulent; the first being: do you recognize the sender? Take a look at the sender’s email address, especially the domain of that email address. Ensure the email domain is from a source you trust, and that the trusted source you believe it to be is spelled correctly.
Second, consider how you are addressed in the email. A trusted source will likely use an email automation technology that has your contact information, so their email will address you by your name. However, phishers cluster a large amount of email addresses into one outbound email in the hopes of just catching one user, so they will likely address the email with a vague salutation such as “Dear Sir,” “Madam” or the like.
Finally, evaluate the call to action of the email. What is the sender asking you to do? As I mentioned previously, if you need to act RIGHT NOW to receive an unrealistic offer, the chances are it’s not legitimate. And also consider whether the email is asking you to download a file, as this is a prime opportunity for a hacker to install malware on your device. Bottom line: do not click or download anything that seems suspicious even in the slightest.
Tip 3: Never Provide Your Personal Information
The motives for phishing are split between financial and espionage. To avoid either, an easy best-practice is to never provide your personal information online to any source you don’t trust. Many phishing schemes will try to get you to enter your credit card information or personally identifiable information (PII) in some way or another. Before doing so, evaluate the source of the site asking to do so. Ensure the URL begins with “HTTPS,” look for a security certificate, and check whether your anti-virus, anti-malware, or firewall software does not flag any concerns.
Tip 4: Have a Remediation Plan
In the event that you or your organization does fall victim to a phishing scheme, make sure you have a mitigation plan to detect and respond to the attack. You can do this by running a scan of your device with your anti-virus software to detect any malware, as well as contacting your credit card provider to put a freeze on your account.
Another security must-have in the event of phishing is to change any passwords to accounts you believe may have been compromised. Leverage a password generator tool, such as LastPass, to create a strong password that will be impossible for a cybercriminal to guess.
Tip 5: Leverage LastPass!
Speaking of passwords, LastPass can help make all of the above tips a little easier and help you prevent phishing schemes during this busy holiday season.
Cybercriminals build fraudulent websites and offers that are similar to legitimate ones, with the goal of tricking users who accidently mistype the URL or are not paying complete attention. This risk is eliminated through the LastPass extension, which navigates to the trusted webpage for you as the URL is already saved in your vault. There’s no chance in mistyping the URL, because there’s no URL you need to type!
But you may be asking, how does LastPass determine whether the URL is authentic or not? This is because LastPass only stores login information for sites that you have saved in your vault. So, if you do happen click on a phishing email, LastPass will not auto-fill your user name and password as it’s not a site the product recognizes. Therefore, if you do not see the LastPass icons in the form fields for the site, you have another indicator that the site is fraudulent.
Let LastPass Prevent Phishing for You This Busy Holiday Season
While the holiday season will only continue to get busier, LastPass is here help make your online security a little easier. Use LastPass to automatically fill your user name and password for the websites you visit and leverage the LastPass icon to access your vault, so you can continue your online shopping while we stop phishing season in its tracks.