Every organization should have a security awareness program. If you don’t have a proper security awareness program, start preparing to run one. One area you can start is instruction on the dangers of phishing.
A phishing attack is simply a message or website that appears real but is designed only to look convincing. Usually, many underlying functions do not work (like the unsubscribe button in an email or the login form of a website).
Many spam or bulk email messages flagged for abuse contain variations of phishing. Attackers bait users by fishing for personal information, usually banking details or account information.
If you click a link, always check the link’s domain to make you go to the real website, not some quick mockup designed to steal your information. For example, make sure you’re visiting google.com instead of google.somewebserver.hacker.com.ru.
Best practices for defending against phishing attacks include:
- Do not open attachments from emails you aren’t expecting.
- Do not click links from unsolicited or unexpected emails.
- Do not respond to threats from emails. If you have a legitimate concern about the status of your account or whatever is being threatened, contact the company you do business with directly.
- Do not submit strange forms (surveys requiring unnecessary personal information).
- Do not email personal or sensitive information.
- You did not win the lottery without playing. You also did not randomly receive a personal government grant (impossible) or win any other random revelation that’s too good to be true.
What phishing awareness measures do you take or email safety tips do you give your organization?
Resources
Phishing by OnGuardOnline
Protect Yourself from Phishing by Microsoft
Fishing Information by the FTC