It’s Monday morning and you receive an email from your CEO requesting that you make an urgent wire transfer of $20,000 to your company’s newest client. Without second-guessing, you proceed with the transaction without further verification from your CEO. An hour later your CEO calls you and asks why you transferred a large amount of funds to an unknown source. You realize that you were a victim of phishing. Phishing has escalated in today’s business world and appropriate action needs to be taken to prevent it.

What is phishing?

Phishing is a form of social engineering, where attackers disguise themselves as another reputable individual or entity in order to gather information and perform unauthorized activities. Attackers usually try to obtain account information such as login credentials or bank account information. Other examples of phishing include malicious links without asking for any information, causing the victim to be infected when they are not aware. There are three different types of phishing, all categorized based on their target victims.

  • Standard Phishing – widespread attacks targeting standard users and consumers
  • Spear Phishing – attacks targeted toward certain individuals, involving personal identifiers
  • Whaling – attacks targeted toward higher up individuals, such as CEOs and executives – as with the example used above

Phishing Statistics

In 2016, there were 1,220,523 phishing attacks according to APWG, the highest amount recorded since 2004.

Photo from APWG 2016 Quarterly Report

Email is the most common way phishing attacks are carried out, but attacks can also be delivered by:

  • Phone calls
  • Text messages
  • Advertisements
  • Misleading URL links
  • Social Media messages

How to Prevent Becoming a Victim

Sometimes it can be pretty easy to spot a fake email or message, as they might include typos and lack professionalism. Other times it can be very difficult to determine if the message is legitimate or not, as the message may include basic information about your company or yourself. Even today, advanced technology such as firewalls cannot prevent all phishing attempts because of the vast amount of possibilities for phishing. The best way to prevent phishing attacks is user awareness and enforced policies. Always be wary when opening an email or text message. If the subject sounds like spam, there’s a pretty good chance it is – do not open it and disregard it. Some phishing emails can contain embedded viruses or ask you to click on a link that points to a deceptive site that is urgently asking for you to update your account information such as passwords, phone numbers, social security numbers, and more. Any company with good security will never ask for your password or sensitive information via email or text. If you are unsure whether a message is legitimate or not, always contact the message’s organization by phone to verify it.

Keep your data and your membership safe by follwing these five simple rules:

  1. Do not open or reply to suspicious emails.
  2. Never complete transactions solely by email.
  3. Verify the source of the message.
  4. Do not let your guard down even if the message identifies you or your company.
  5. Only enter sensitive data into secure websites that begin with https://.

As these attackers are usually one step ahead, it’s important your association is aware of phishing and whaling methods. What is your association doing to stay safe and secure?

Article written by:

Brandon Allison

IT Intern