Chances are high that you’ve recently received a phishing email in your inbox. Did you detect it as a fraud immediately?
Phishing is a fraudulent attempt to trick individuals into sharing personal and sensitive information. The attempt typically involves a crafted email with hyperlinks to a website intentionally created to collect information from unsuspecting victims. An attacker may be sending out a generic phishing email to a large number of individuals in order to compromise unwary recipients, or he or she may be targeting you or your organization specifically known as ‘spear phishing’ due to the focused nature of the attempt.
To pull off a successful spear phishing campaign, the attacker will research details about you and your organization to find valid names (including executives or business partners) and other phrases to use such as project and organization names. The attacker may have even compromised the account of someone you do business with so they can craft emails from their account.
Are you up to the task of defending yourself and your organization against these attacks? Here are tips on what to watch for and how to respond.
1. Think Before You Click
a. Always be careful before clicking on any content in an email, including links and attachments.
b. In some cases a single click is all that is required for your machine to be compromised.
b. Take note of any irregularities in the sender. Double check the domain name, recipient list, subject line, message, etc.
c. Inspect the destination of a hyperlink. You can do this by hovering over the link with your mouse or a long-press on a mobile device. When you hover over a link, you can preview the destination.
2. Keep an Eye on Shared Documents
a. Invitations to view shared documents are a common attack strategy. Beware any such emails. On Google Apps, legitimate sharing messages will come from either firstname.lastname@example.org, or the email of the person sharing the document.
3. Know Your URLs
a. Never enter your Google account credentials on anything other than the actual Google login page. Look closely at the URL bar. Here is what it looks like:
4. Report Anything That Looks Phishy
a. Click the Report Phishing (when available) or Report Spam options in Google Mail to alert Google of the email so they can identify and block related emails for other recipients.
5. Unsure if Phishy? Use this Checklist
a. If the email appears to be directly targeting your organization in some way, or you’re just not sure if it is safe, here are a few tips to follow:
I. If the purported sender is someone you know, contact him or her directly to verify if he or she sent the email. Contact this person through a method other than email. If his or her email account has been compromised, an imposter can simply reply in the affirmative to any email response you send.
II. Forward a copy of the email to your organization’s security team or IT help desk so they can help assess and respond to the situation.
6. Did You Fall For It?
a. If you believe you may have fallen victim and provided your account credentials or other sensitive information through a phishing site, please report it immediately. Your support or incident response team will walk you through the steps you should take, including changing your password and looking for suspicious activity on your account
7. Arm Yourself with These Tools
a. Don’t reuse your Google account (or any other important account) password on other sites. 2-Step Verification on Google accounts makes it harder for an attacker to access your account, but it doesn’t prevent them from using that password to access other accounts where the same password may be used. Having trouble keeping track of more than one password? You’re not alone. Use a password manager!
It is incredibly important to be diligent when it comes to defending against phishing attacks. You can do it! Ready for some practice? Test your abilities to identify a phishing website with the OpenDNS Phishing Quiz.
Click here to learn how to detect for phishing emails in Office 365.