Phishing Evolves: Best Practices to Avoid Being Phished
A few weeks into my tenure at Terra Nova, I received an email from Fidelity alerting me that my 401(k) account needed action. It stated that I needed to activate my account within 2 weeks or I would lose matching for the year. Being new to the company, I didn’t want to miss out on this opportunity. I remember thinking that it seemed a little strange considering no other company had imposed such a rule, but I thought, “Hey, maybe this company does things differently.” So I clicked and activated my account. The next day I received an email from our security and privacy team telling me I had been phished. I was shocked. Nothing seemed fake or out of place. What now? Sadly, nothing about this story is unique. Every day, people click on links and infect their devices and systems with malware. If you have a “team” monitoring your account, as I did, the impact can be minimized. But for a lot of people the consequences are disastrous. Do you think you would know what to look for? According to a recent Verizon report, over 20% of people will click on a phishing email. The best way to avoid being phished is to always be on high alert. When I think about my example, I knew something was weird, yet I talked myself out of it and clicked anyways. It’s human nature to trust, and phishers capitalize on that. This is exactly why it is so important to be aware of the scams. That way, if something feels “off,” you know what to do. In my case there are a few rules I now keep handy:
- Be aware of email requests with high urgency that ask you to take quick action. Phishers often prey on employee trust and will spoof executives to get you to comply with high urgency actions like wiring large amounts of money ASAP. Or in my case, losing my matching benefits if I didn’t immediately comply. As a rule of thumb, if you are ever in doubt, double-check the request with the sender either by phone or by composing a new email—never reply to the email itself.
- Never give sensitive personal or financial information over email. Trusted parties will never ask you for personal or financial information through email (e.g., social security numbers, account numbers, credit card numbers, passwords, etc.). Be cautious of emails that ask you to call a phone number to update your account information as well.
- If an offer seems too good to be true, it probably is. Offers ofbig bonuses, large payments or gifts (e.g., win a free iPad) are ways attackers try to get inside your head. If the promise is “too good to be true,” do some research into the individual or company before taking action.
- Think about whether you initiated the action. Phishers will try to spoof well-known companies to have you reset your password, update your account or track a shipment. Always be suspicious of unsolicited email, if you didn’t prompt a password reset — don’t click the link.