You've been on the internet for a while, so odds are you know how to spot a dodgy email. While you're probably able to flag the infamous Nigerian Prince scam, you may find it harder to catch the more sophisticated phishing attacks that come your way.
Phishing, smishing (text or SMS), and vishing (voice call) attacks have been on the up-and-up with no signs of slowing down. Last year’s sudden shift to millions of people working from home was like ringing a dinner bell for cyber criminals. Why? Because these malicious threat actors are hoping your home security isn’t as strong as the security controls your organization has in place – and weaker security means easier access to your most sensitive data.
Don't let yourself fall victim. Let’s look at some phishing tips you can use to help you stay secure, at both work and home.
Carefully review messages from all channels
Although email is the primary vector for scams, threat actors are becoming much more comfortable with other methods too. Phishing links, credential harvesting sites, and other forms of social engineering can come through a suspicious text, an odd message through your social media account, or a weird phone call to either your personal or work phone line.
To stay one step ahead, it’s important to use the same caution and skepticism regardless of where the message comes from.
Make a habit of double-checking a sender’s email address
Many times, malicious threat actors can imitate an email address to look almost identical to the impersonated sender at first glance. Check the domain name (the text following the “@” symbol in an email address) matches what you would expect from the sender. What may look like <janesmith@
yourbank.com> may actually be <sketchy@
dodgycompany.com
>.
Pro tip
: If you receive a suspicious text from a number with only a few digits, that is a sign the message was sent by an automated email and could be a scam. Make sure to be cautious of links sent in phish-y texts too as they can infect your mobile device.
Trust your intuition
Cybercriminals look for ways to latch onto already established trust you have in reputable companies, friends, family, and even coworkers. If you receive a message from someone you trust and know, but it seems out-of-character or has an ‘urgent request’, there could be a chance
their account was hacked, and someone is fraudulently using their credentials to send messages.
Verify the message by contacting them directly using another form of communication you trust before taking any action. If you are concerned about the security of a coworker’s account, you should reach out to your Security or IT teams for help.
Your password manager can help you identify phishing sites
We know that using a password manager to generate and store your unique and long-character passwords are a must for a strong security posture. But did you know your password manager can help flag a phishing website for you too?
Let’s say you receive a well-crafted phishing email that appears to come from your bank. It looks totally legitimate, so you click the link in the email, are redirected to what appears to be your bank’s website and are met with a request for you to login with your credentials. If your password manager typically auto-fills your credentials on that site but fails to do so – that’s a sign your password manager doesn’t recognize the URL and you could be on a phishing site. Paying attention to this detail could make the difference of whether you hand over your account credentials on a silver platter to a hacker.
Be cautious of blindly accepting multi-factor authentication (MFA) prompts
MFA is a second layer of security that provides an additional step to verify your identity. For example, you may have attempted to log into a personal account for online banking. To ensure the login attempt is you and not someone maliciously using your credentials, you would be prompted to enter your username and password, followed by another form of verification – either a code sent to the mobile device phone number associated with your account or from an authenticator app.
If you receive an MFA request but did not log into an application or website that prompted it, you should immediately ignore or deny the request and change your password to prevent further attempts to get into your account.
Worried your employees are making critical password mistakes? Click the button below.