Phishing 101: What it is, how it works and how to avoid it

Ever gone fishing? The cybercrime phishing works in a very similar way.

Tech-savvy con artists bait an email hook, send them out into the internet waters, and pull in personal information that can help them gain access to protected systems.

You know what this means, right? That Nigerian prince doesn’t actually need help transferring “much funds” to “American dollars US.” In fact, if you click on that link, you’re the one likely to suffer heavy losses.

It’s better if you don’t respond at all.

Phishing can also include attachments that download malicious code onto your systems. Keylogging software and other information-gathering viruses give malicious coders access to sensitive data like logins and passwords. Just opening the wrong email could put your entire company database at risk.

Understanding the risk

With phishing, hackers have an easy way to attack that can be highly profitable. Consider the fact that the average cost of a successful phishing attempt on a mid-sized business comes with a $1.6 million price tag.

Enterprise businesses are not exempt, even with massive IT departments and increasingly complex security protocols.

Spear phishing, more targeted phishing attempts that mimic other known users, make up 95 percent of all attacks on enterprise businesses. If you received an email from the CEO, you’d probably open it too—even if it turned out it was from a hacker.

Leaving the bait on the hook

Keeping your company safe from phishing attacks starts with something very basic: education.

Give your employees examples of some of the most sophisticated attack scenarios and strategies to avoid them. For example, if you get an email from “Google” asking you to log in, never use an embedded link. Always load websites using the actual URL, not hyperlinks provided via email. This avoids the risk of spoofed pages designed to capture login credentials.

Ignoring attachments also helps eliminate the risk of ransomware downloads.

In addition to educating your workforce about the most common lines of attack, you can also institute some company-wide defense strategies and tools.

Better passwords using management software

Encouraging your employees to use strong passwords is helpful. But the longer and more complex the password, the more likely users are to write them down, send them to an accessible email box, or otherwise immediately undo their increased security.

Password management software can take care of the problem by automatically filling in software and password information on recognized sites. When the password manager doesn’t recognize the site, it’s a warning sign to employees about a possible spoofed site.

Social media monitoring

Email phishing is still the most common form of phishing, but social media platforms also offer an avenue of attack.

Using fake accounts, hackers can approach your employees through less guarded communications like social media. Monitoring what happens on corporate social accounts and teaching your workers about the risks of corporate espionage through social contact can go a long way toward minimizing your risks.

Partnering with a cybersecurity expert

Small businesses rarely have the budget to support an in-house IT department, and even when they do, cybercriminals are relentless. The number of cyberattacks creeps up every year, leaving you with some tough choices.

Thankfully, it is possible to get high-level protection against phishing without investing in more top-level salaries. Talk to your managed services provider to see how they can provide the defenses you need against phishing attacks, without the cost that comes with a whole new department.