Quick Ways to Spot Phishing Messages Targeting Your Business
Gone are the days when phishing attempts were easy to identify and limited to only emails. While malicious messages are nothing new, they’re becoming more sophisticated and harder to pick out from legitimate business communications. They are also coming at us through texts, social media chats and even phone calls.
A few simple actions with one of these messages can develop into a problem that spreads quickly across digital channels and devices, but there are things that you can do to defend against phishing attacks and resources that can help.
Vice President & Corporate Information Security Officer Jamie Neumaier knows a lot about tackling security threats. Jamie manages an information security team that works to ensure the people and systems at Erie Insurance stay as safe as possible. He answered questions about phishing scams targeting businesses and offered some useful security tips.
What is Phishing?
Phishing is a malicious activity in which criminals try to gain access to user’s information, data or devices. The goal is to get you to act without taking a moment to think, and when you do, the phishers may:
Gain access to data and information, which they can exploit.
Install malware on your system.
Prompt you to reveal your personal financial information for purposes of stealing money or your identity.
Access your email and send other malicious messages to your contacts, to exploit others.
Are Businesses Especially Vulnerable to Phishing Scams?
Yes. With more work being conducted digitally, businesses of all sizes are susceptible to attacks. Attackers also assume that small businesses do not spend a lot of money or effort on their security measures, making them a potentially easier target.
Phishers can easily find your contact information online and are counting on employees to at least open the email because you’re in a business of being responsive.
Phishing messages have also grown in sophistication, so it’s easy to be convinced to visit a malicious website or download an infected file that comes in a message that looks legitimate. If the “threat actor” happens to call, they can be very convincing in having you follow their detailed instructions in providing them your valuable information or installing their malware.
How do You Spot a Phishing Attack?
Phishing messages that are poorly written, offer you large amounts of money or ask you for financial assistance have been common for a long time. Most of us know not to open, click or respond to these messages. As mentioned above, phishing attempts aren’t limited to emails either. Hackers now use phone numbers like your mobile number to call you and attempt to have you reveal sensitive information. They may send you text messages as well.
More recently, phishing messages are being designed to look like other emails that you might receive. They may appear to be from someone you trust like a bank, friend, software provider, retailer or vendor, but usually, the timing of the messages is unexpected.
For instance, one common technique is for a hacker to gain access to an email account through a phishing attempt, then access the account and reply to a real email conversation with a malicious link. So, when the recipient receives this email, it looks like a continuation of an earlier conversation, but it asks the recipient to download a document or enter their credentials.
How Can Phishing Attacks be Prevented?
In the course of day-to-day business between you, your employees, customers, and other consumers in general, know what you’re working on. If you receive a message, phone call or email that is unexpected or seems even just a little bit off, verify the validity of the message before taking action. Call the person who appears to have the message and ask if he or she sent it. If the answer is no, it’s a malicious message.
Other Things You Can Do:
Enable multi-factor authentication (MFA) services on as many things as you can, such as your email. If you happen to fall for one of the phishers’ tricks, having this additional layer of protection significantly helps reduce their chances of taking over your email or other targeted accounts.
Keep your software and devices up to date. The latest updates for Microsoft Office products, operating systems, third-party applications, such as Adobe Reader and smartphone operating systems, contain patches that protect against the latest security issues.
Hover your cursor over a link in an email to show the URL. If it looks suspicious, don’t click on it.
Use a modern endpoint protection software on your devices. They’re often provided by common and well-known security brands such as McAfee and Norton. Microsoft also offers endpoint protection for Windows and other applications.
Always back up your data, so that you can get back to business as quickly as possible should you fall victim to an attack. Test your backup processes periodically to ensure they are working as expected.
Educate your employees on good cybersecurity practices like how to identify phishing attempts and spam messages.
Look at the extension on Microsoft Word attachments. Most users have updated their Microsoft products so that Word documents end with .docx. If you see the antiquated .doc extension, question it.
Also, be aware that if you’re hit with an attack, you may not know immediately, and the first indication may be that your customers receive an unexpected message from you. Unfortunately, a customer calling to verify something you sent (but didn’t intend to) could be when you know you’ve been affected.
If customers call asking if a message is legitimate, and after you confirm whether you sent that email, offer them the same advice you use in your own business operations.
Did the customer expect to get that email?
Does the link or URL direct them to a legitimate, expected website address?
Does it ask them to open a suspicious document that they didn’t expect?
Does it threaten to disable access unless the user ID and password are given?
Answering those questions can help you both determine whether the message is safe.
Phishing is continuously changing and evolving as perpetrators adopt new techniques and forms, so it’s essential to have a good security plan in place and watch out for emerging attacks to help protect your business. A well-trained team that knows how to spot a suspicious message can also be a great defense against phishing attacks by enabling them to respond to an attack instead of just reacting with quick action.
The Right Protection for Your Business
Contact a trusted insurance advisor to learn about some of the smart and affordable ways to protect your business.
ERIE® insurance products and services are provided by one or more of the following insurers: Erie Insurance Exchange, Erie Insurance Company, Erie Insurance Property & Casualty Company, Flagship City Insurance Company and Erie Family Life Insurance Company (home offices: Erie, Pennsylvania) or Erie Insurance Company of New York (home office: Rochester, New York). The companies within the Erie Insurance Group are not licensed to operate in all states. Refer to the company licensure and states of operation information.
The insurance products and rates, if applicable, described in this blog are in effect as of January 2024 and may be changed at any time.
Insurance products are subject to terms, conditions and exclusions not described in this blog. The policy contains the specific details of the coverages, terms, conditions and exclusions.
The insurance products and services described in this blog are not offered in all states. ERIE life insurance and annuity products are not available in New York. ERIE Medicare supplement products are not available in the District of Columbia or New York. ERIE long term care products are not available in the District of Columbia and New York.
Eligibility will be determined at the time of application based upon applicable underwriting guidelines and rules in effect at that time.
Your ERIE agent can offer you practical guidance and answer questions you may have before you buy.