9 Phishing Scam Prevention Tips
If you’ve been on the Internet or working at a desk job, you’ve likely heard the term “phishing” thrown around once or twice, but what does it mean? We’ll explain and provide nine phishing scam prevention tips so you can know what to do when you encounter a phishing email and the things to look out for if there’s a cybercriminal in your waters.
Phishing is a digital scamming method where a cybercriminal sends a malicious email in an attempt to persuade you to give information or interact with a dangerous link that could download malware onto your device.
Phishing has been going on for decades, and you would think by now we’d have a guaranteed, easy way to prevent it, but unfortunately, that isn’t the case. While much of your cybersecurity responsibilities fall onto your IT team’s shoulders, phishing scam prevention is something that every person in your company, including you, needs to be aware of and actively managing.
1. Beware of Social Engineering and Psychological Triggers
Humans are naturally socially engineered, wired to want to help out other people. Cybercriminals know this and will exploit it for their gain.
This comes in the form of psychological triggers. They’ll likely tell you something is time sensitive and urge you to act quickly. These triggers could be anything from alerting you to a missed delivery to a prize you must claim immediately or forfeit the valuable item.
Cybercriminals are actively trying to trick you into acting before thinking. Once you get a chance to analyze the email deeper, you’ll start to see some of the signs of a phishing scam.
Consider these questions before interacting with a suspicious-looking email:
- Is the email pushing you to do something quickly?
- Is the text trying to make you take action?
The bottom line is if the email is pushing you to take immediate action, looks odd in some way, or simply seems too good (or bad) to be true, it usually is. Do not hesitate to contact your IT specialist or team about any suspicious emails. They have the expertise to quickly and definitively recognize if an email is phishing.
Asking your IT professionals to verify hundreds of emails is nothing compared to the difficulty and financial losses of ratifying issues after a successful phishing attempt.
2. Create Emergency Request Policies and Procedures
Just like in the first tip, cybercriminals may weaponize your emotions against you by masquerading their emails as company emergencies. Cybercriminals want the recipient to be too worried about their company’s well-being to notice any red flags.
Common objectives of these phishing emails include gaining login credentials, other insider information, or even asking for fund transfers.
To avoid tripping up nervous/impulsive employees into interacting with the phishing attempt, we recommend creating emergency request policies and procedures. Here’s what you should do:
- Specify when and how emergency requests would be made to employees and how to tell if the request is legitimate.
- Explicitly outline requests that will never be made, so they can immediately be marked as a scam. As an example, you’ll never be asked to buy several gift cards for the CEO or provide credentials by email.
- Set a sensitive information request procedure and make sure it needs to be verified with another party. This procedure can be as simple as, “If you get an email request from someone, contact them directly to ask about it.”
- Inform your employees about specific instructions for how they share sensitive information, like passwords, and with whom they can share them.
3. Train Your Team to Identify Phishing Attempts (and Test Them)
It’s likely your staff has been taught the basics of what to look for in phishing attempts, like grammar mistakes in emails. However, these mistakes aren’t always easy to spot.
Cybercriminals have begun to notice and improve their grammar using artificial intelligence. Your coworkers must be trained further and tested to see how much they can understand and apply phishing scam prevention procedures.
Your managed service provider can collaborate with you to create and customize simulated phishing attacks to test your employees. Test emails are made to include red flags and tactics that your coworkers have been trained to spot to appear as real phishers to those being tested.
It’s important to emphasize that these tests are not meant to embarrass or punish staff who may fail to identify phishing attempts. They are simply a very effective training tool to help your team get better as a whole at spotting potential phishing emails.
4. Make Sure Your Staff Is Reporting Phishing Emails
It’s natural to be afraid of being wrong or wasting someone’s time — especially in the workplace. You need to make sure your team reports suspicious-looking emails they suspect as phishing.
A great encouragement method is a rewards system. Place the names of people who identify and report phishing emails into a hat, or keep track with a digital spreadsheet, and pull one a month for a raffle prize of $1,000, or offer a $20 gift card for every successful phishing email spotted.
This may sound like a lot of money upfront, but keep in mind that a successful phishing scam can cause millions of dollars worth of damages and potentially bankrupt your company.
You should also streamline the reporting process to make it as easy as possible for your coworkers. Employees are much less likely to want to put in the work if the process of reporting an email is burdensome or complicated.
If your reporting process takes lots of steps to complete, we recommend making a simpler alternative like a “report” button.
5. Use the Dark Web to Find Company Data
The information stolen in breaches or data leaks most often ends up on the dark web. Sometimes, the data is for sale and sometimes it’s just posted there.
Many sophisticated phishing operations begin with leaked company credentials found or bought on the dark web. Your phishing scam prevention plan should include dark web monitoring for your company’s credentials like your company’s name or associated email addresses.
Keeping tabs on this information can alert your company if any passwords have been sold, so you can take action to change and make them stronger before the cybercriminals can cause irreparable damage. Dark web monitoring can also notify you if your company name or information appears in forum discussions, which could indicate cybercriminals are targeting your company.
6. Know How You Stand Out Online
While all employees need to be aware of phishing and how they may be a target, new employees are particularly vulnerable.
Phishers will often keep tabs on online databases like LinkedIn and target new employees because they are usually easier people to influence. You should inform all new employees about this, and warn them that phishers may target them specifically and even use their emails or phone numbers in their phishing attempts.
Phishing attempts aren’t limited to just new employees. Upper management is also a major targeted group (a practice called whaling) because they have access to more company information and systems.
Once cybercriminals gain access to a senior-level employee’s account, it is easier to manipulate lower-level employees with email requests. Think about it: if you think an email request is coming from your boss or CEO, you’re less likely to think twice before acting on the request, no matter how out there it may seem.
We recommend all C-suite members make security protocols to ensure the safety of their information.
Another big mistake people make online is sharing too much information on social media. Cybercriminals can use your personal information like your birthday to access your accounts.
A safe bet to keep your identity from being compromised is to hire a company to do a cyber security assessment. As part of this assessment, they will analyze your company’s website and social media along with employees’ profiles.
7. Take Advantage of Tools and Technology
In a perfect world, there would be a solution that would eliminate phishing emails, but we all know that’s not the case. However, there are ways to lower the frequency and amount of phishing emails you get, including:
- Email filters that filter out scams.
- Microsoft 365 Advanced Threat Protection for companies using Microsoft 365.
- Multi-factor authentication (MFA) can prevent a cybercriminal from getting into an account with stolen credentials.
- Secure web gateway (SWG) and single sign-on (SSO) allows you to enable MFA in one place to be enforced in all of your accounts. An SSO is the only place that any of your credentials should be entered, so making a policy stating this to your employees is a good idea.
- Password managers store passwords securely and encourage strong password management practices like not repeating passwords. Password managers can also help people recognize that they’re on a phishing site instead of where they intended to log in. Saved passwords do not autofill on a spoofed site.
- Multi-scanning technology to help scan and filter your emails. Using a single antivirus tool will not prevent or detect scams all of the time, which is why we recommend that you use multiple engines to scan your emails.
There’s one more thing you could do, but it’s a drastic measure only suitable for certain companies. Allowing only plain text emails along with restricting types of attachments helps to prevent phishing because it will block any emails with links or attachments that aren’t explicitly permitted.
8. Create a Blacklist and Mark External Emails
A blacklist can make dangerous emails more noticeable. Blacklisting involves merging your company’s email system with an intelligence feed to prevent you from receiving emails from a verified unsafe source. It works by tracing emails back to their IP addresses and blocking emails from blacklisted IPs.
Another easy way to help your coworkers be more vigilant is to mark all emails not sent from within the company as “external.” This is an immediate warning to look for possible red flags contained within the suspicious-looking email.
With this in place, you still have to make sure your team knows this method isn’t foolproof. If a company email has been spoofed, it will be sent from a legitimate internal email. To prevent spoofing, make sure your email DNS (domain name system) is implemented correctly.
9. Create a Phishing Response Plan
At the end of the day, you can take all of the above recommended precautions, but your company will never be 100 percent safe from phishers all of the time. Cybercriminal tactics evolve daily and it only takes one moment from one coworker to make a mistake.
You need to be prepared and have an incident response plan in place. Never blame or shame the victim. Instead, increase your cybersecurity awareness training and other prevention techniques, run a cyber security assessment to find and close weak areas of your security plan, and work to mitigate any damage done.
If you outline the potential breach scenarios in advance and explain how to respond, you’ll be able to hit the ground running after one occurs.
We’ve discussed email a lot in this article, but it’s worth keeping in mind business-related communications channels are growing rapidly — and cybercriminals can use them all, including messaging apps, social media and even phone calls.
Take Your Phishing Prevention to the Next Level
After reading this article, you now have nine solid ways to actively engage in phishing scam prevention. At the same time, cybercriminals continue to learn and evolve, getting more creative in their phishing attempts.
Don’t try to keep up with the latest phishing exploits alone. Contact us or book an appointment so we can discuss how to best protect your company from current and future phishing attacks.