While you may be aware that cybercriminals want to break through the defenses of your computer, you may not realize the most popular form of attack involves phishing, or the sending of disguised email (“phish” is pronounced “fish”). Phishing is popular among cybercriminals because it is much easier to trick an email user to click a malicious link or download a malware-infected attachment than it is to break into a computer system. Phishing can also take the form of text or instant messages.
At the heart of successful phishing is social engineering, or the art of manipulating, influencing, or deceiving you to gain access and/or control of your computer system. One type of phishing email creates a sense of urgency by demanding immediate action to change your password, respond to a security alert, follow up on a bank or credit card issue, address an IRS inquiry, or respond to a delivery problem with UPS or FedEx. Another type of phishing email attempts to lure you with a reward such as a new computer or lavish prizes. According to a study by Symantec, by the end of 2017, the average user was receiving 16 malicious emails per month, and many of these emails look like they are from people you know.
When you make the mistake of clicking on a phishing email link, you are redirected to an official looking website for the IRS, your bank or credit card company, Pay Pal, Microsoft, UPS, Amazon, Dropbox, DocuSign, etc. Unfortunately, you followed a link to a cloned version of a legitimate website—and it is often hard to recognize the difference. After you enter your username and password (maybe also your social security number and other sensitive information), the cloned website collects the information and the cybercriminal then uses the data to access your account(s).
If that wasn’t bad enough, phishing emails may also contain innocent looking files that you unfortunately download. Once on your computer, the malware infected files execute their embedded code. The most common form of malicious code is ransomware with over 90% of phishing emails containing some form of ransomware. According to Cryptonite, healthcare organizations saw an 89% year-over-year increase in ransomware attacks from 2016 – 2017, and that trend is expected to continue. Not only do you have the expense from a ransomware attack, but you also run the risk of never getting your data back—one in five who paid the ransom never received their data back according to statistics by Kaspersky Security Network.
Since the impact of phishing scams can be substantial, it is critical to avoid becoming a phishing statistic. Here are the steps you can take to protect yourself.
- Do not click on links inside of an email. Cybercriminals have become much more sophisticated, and many of their phishing emails look like they come from people you know. While you will still see some phishing emails loaded with misspellings, many fraudulent emails are tough to detect. The safest bet is to go directly to the source such as a bank or insurance website instead of clicking a link.
- Do not open or download files unless you are expecting the email. Always ask yourself if the email attachment makes sense before you open it (in addition to reviewing the email to make sure the content and contact information are accurate).
- Remember that the IRS will never call, email, or text you, nor will the IRS request personal information, PIN codes, or passwords. The IRS sends correspondence by mail. When you receive any inquiry from the IRS, please alert Fluence immediately.
- Verify requests for information with a phone call. Do not respond to emails or texts from your bank, credit card company, or other institutions requesting updates to your personal information. Never provide personal, credit card, or bank information to anyone who calls you. Always verify requests by contacting your bank or credit card company directly. Remember, cybercriminals will push hard to get this information.
- Do not post personal data. Avoid listing your birthday, vacation plans, address, phone number, or financially sensitive information on social media. Also, be wary of pop-up windows that seem like legitimate parts of a website; many times these pop-ups are phishing attempts to gain personal information.
- Work with your IT provider to establish anti-phishing policies and training. This includes keeping your browser, operating system, and antivirus software up to date. Also, ask your IT provider about running phishing simulation software that can test and assess everyone’s ability to detect and avoid phishing scams.