How to Protect From an Email-Based Phishing Attack?
You probably received at least once an email like this:
“Your account will soon be disabled for security reasons, please confirm your identity to continue using it.”, followed by a link you’re supposed to go to that would lead you to the website where you could “confirm your identity” and continue using the account.
I hope you didn’t actually do this, as this is one of the most common scams on the Internet and it’s called an email phishing attack.
There’s nothing wrong with your account and it won’t be disabled for any “security reasons”. In fact, the website that supposedly sent you the email isn’t even the website it claims to be, but a fake one.
According to the 2020 Verizon’s Data Breach Investigations Report (DBIR), of all the data breaches in 2019, 22% involved phishing.
Businesses and individuals lose millions and more due to phishing attacks and if you don’t want to join their ranks, it’s important to know how to protect yourself from an email phishing attack.
How to Recognize an Email Phishing Attack?
But first, how to know if the email is legitimate or an email phishing attack?
Phishing attacks can come via email, malicious website, or phone. However, 96% of them come from email.
The three most common types of an email-based phishing attack are:
- Regular phishing attack
Regular, or “deceptive” phishing is the most common type of phishing attack. In it, the scammers impersonate a legitimate company or organization in order to obtain their victim’s personal or financial data or login details.
- Spear-phishing
The spear-phishing attack is a much more focused version of a regular email phishing attack in which, instead of a generic “Dear Sir/Madam” greeting, they use the victim’s name, company they work for, position, or some other information to make the email scam more legitimate.
Spear phishing is responsible for 95% of successful attacks on business networks.
- CEO fraud
The CEO fraud targets executives, such as CEOs, in a company. This can be a very sophisticated fraud and it requires that the attackers first do some social engineering and find the most promising person in the company to impersonate. This will usually be an executive on vacation or similar.
Once the fraudsters know what executive to impersonate (usually by creating a fake email), they next need to find an employee within the company they can manipulate. This will “ideally” be someone with authority to make money transfers and who is also new to the company.
The criminals next need to contact the employee, via spoof email, impersonating as their “boss” and request an “urgent wire transfer”, or some other sensitive information like W-2 info on the employees.
Finally, the scammers just need to wait for the employee’s response.
How to Protect Against an Email Phishing Attack?
Now that you know what kinds of email phishing attacks to expect, what are some tactics you can use to protect your email account, and more importantly, your data and your company’s data?
- Read the email carefully before replying
Don’t fall for threats in the email. It’s not “urgent” at all. That’s just a ploy to scare you into doing something (like disclosing your personal data) by the cybercriminals.
Instead, read it carefully.
Do you see anything suspicious? Perhaps the email address is wrong, or the URL. Maybe the message is filled with typos and grammar errors, or the greeting is generic. These are all tell-tale signs that the email is best left ignored.
- Use HTTPS
Although using Secure Socket Layer, or HTTPS is no longer a guarantee that the website is secure (according to APWG report, via Pixel Privacy 74% of phishing websites found in Q1 2020 had an SSL certificate), you are still safer using an HTTPS than an HTTP site, especially when you need to reveal your personal or financial information online.
- Use anti-phishing security software
Using a good antivirus and anti-phishing security software will help you a lot fighting it and protect you against an email-based phishing attack. Take a look at this post to see our picks for the best anti-phishing solutions you can use to protect your email.
- Make sure you have a clear policy and procedures for handling sensitive data
This is especially important for organizations that handle large amounts of customer data. It’s much easier for cybercriminals to steal this data if there are no clear procedures as to how it’s supposed to be handled and shared.
Make sure that only certain people have the authority to share customer and other sensitive data. If you do this, the scammers will have much less chance to steal it from you.
- Report phishing activity
Reporting a phishing attempt or other suspicious activity is important for increasing the company’s security.
If you are employed in the company, you can usually report the phishing attack to a higher up. You might need to file a written report, but this is important. Do this even if you handled the attempt already as someone else might not be as vigilant as you were.
On the other hand, if you receive a phishing email as an individual from a large website (like Facebook or Amazon), you can also report the email phishing attack by forwarding it to them. The email address you need to forward it to will usually be something like [email protected].
- Educate and train yourself and your employees to recognize a phishing attack
Not everyone knows how to recognize and respond to a phishing email. That is why you need to educate both yourself and your employees on how to do this. That way, you won’t be caught on the wrong foot by the fraudsters and give them any sensitive data.
- Use a secure email service
Regular email services like Gmail, Outlook and YahooMail today do a solid job of keeping spam away from your inbox, but won’t really protect you against phishing attacks, especially those more sophisticated ones.
This is why you need to use a more secure email service, like CTemplar offers. One of the features of CTemplar: Armored Email that can keep phishing at bay is the anti-phishing phrase you can set up to show in your account. This will alert you of any phishing attempts.