You probably received at least once an email like this:
“Your account will soon be disabled for security reasons, and please confirm your identity to continue using it.”, followed by a link you’re supposed to go to that would lead you to the website where you could “confirm your identity” and continue using the account.
I hope you didn’t actually do this, as this is one of the most common scams on the Internet, called an email phishing attack.
There’s nothing wrong with your account, and it won’t be disabled for any “security reasons”. In fact, the website that supposedly sent you the email isn’t even the website it claims to be, but a fake one.
According to the 2020 Verizon’s Data Breach Investigations Report (DBIR), of all the data breaches in 2019, 22% involved phishing.
Businesses and individuals lose millions and more due to phishing attacks, and if you don’t want to join their ranks, it’s important to know how to protect yourself from an email phishing attack.
How to Recognize an Email Phishing Attack?
But first, how to know if the email is legitimate or an email phishing attack?
Phishing attacks can come via email, malicious website, or phone. However, 96% of them come from email.
The three most common types of email-based phishing attack are:
- Regular phishing attack
Regular or “deceptive” phishing is the most common phishing attack. In it, the scammers impersonate a legitimate company or organization to obtain their victim’s personal or financial data or login details.
- Spear-phishing
The spear-phishing attack is a much more focused version of a regular email phishing attack in which, instead of a generic “Dear Sir/Madam” greeting, they use the victim’s name, the company they work for, position, or some other information to make the email scam more legitimate.
Spear phishing is responsible for 95% of successful attacks on business networks.
- CEO fraud
The CEO fraud targets executives, such as CEOs, in a company. This can be a very sophisticated fraud and requires the attackers first to do some social engineering and find the most promising person in the company to impersonate. This will usually be an executive on vacation or similar.
Once the fraudsters know what executive to impersonate (usually by creating a fake email), they next need to find an employee within the company they can manipulate. This will “ideally” be someone with authority to make money transfers and who is also new to the company.
The criminals next need to contact the employee via spoof email, impersonating as their “boss” and requesting an “urgent wire transfer” or some other sensitive information like W-2 information on the employees.
Finally, the scammers need to wait for the employee’s response.
How to Protect Against an Email Phishing Attack?
Now that you know what kinds of email phishing attacks to expect, what tactics can you use to protect your email account and, more importantly, your data and your company’s data?
- Read the email carefully before replying.
Don’t fall for threats in the email. It’s not “urgent” at all. That’s just a ploy to scare you into doing something (like disclosing your data) by the cybercriminals.
Instead, please read it carefully.
Do you see anything suspicious? Perhaps the email address is wrong, or the URL. Maybe the message is filled with typos and grammar errors, or the greeting is generic. These are all tell-tale signs that the email is best left ignored.
- Use HTTPS
Although using Secure Socket Layer, or HTTPS, is no longer a guarantee that the website is secure (according to an APWG report via Pixel Privacy, 74% of phishing websites found in Q1 2020 had an SSL certificate), you are still safer using an HTTPS than an HTTP site, especially when you need to reveal your personal or financial information online.
- Use anti-phishing security software.
A good antivirus and anti-phishing security software will help you fight it and protect you against an email-based phishing attack. Look at this post for our picks for the best anti-phishing solutions to save your email.
- Make sure you have a clear policy and procedures for handling sensitive data
This is especially important for organizations that handle large amounts of customer data. It’s much easier for cybercriminals to steal this data if there are no clear procedures as to how it’s supposed to be handled and shared.
Make sure that only certain people have the authority to share customer and other sensitive data. If you do this, the scammers will have much less chance to steal it from you.
- Report phishing activity
Reporting a phishing attempt or other suspicious activity is essential for increasing the company’s security.
You can usually report the phishing attack to a higher-up if employed in the company. You might need to file a written report, but this is important. Do this even if you handled the attempt already, as someone else might not be as vigilant as you were.
On the other hand, if you receive a phishing email as an individual from a large website (like Facebook or Amazon), you can also report the email phishing attack by forwarding it to them. The email address you must deliver it to is usually something like reportphishing@company.com.
- Educate and train yourself and your employees to recognize a phishing attack
Not everyone knows how to recognize and respond to a phishing email. That is why you need to educate yourself and your employees on how to do this. That way, you won’t be caught on the wrong foot by the fraudsters and give them any sensitive data.
- Use a secure email service
Regular email services like Gmail, Outlook, and YahooMail today do a solid job of keeping spam away from your inbox. Still, they won’t protect you against phishing attacks, especially those more sophisticated ones.
This is why you must use a more secure email service like Keila offers. One of the features of Keila: Armored Email that can keep phishing at bay is the anti-phishing phrase you can set up to show in your account. This will alert you of any phishing attempts.
Sign up for your Keila account today and protect your email data from phishing and malicious attacks.