Phishing is a cyber threat nearly all internet users are familiar with—it is a scam email or other electronic communication aimed at obtaining access or sensitive data through deception. Phishing scams are usually emails sent out by bot accounts to numerous addresses with a request that someone might just find believable enough to buy in and open an infected attachment, wire money, or disclose sensitive data.
During the early days of the internet a phishing scam was fairly easy to spot and typically replete with grammatical errors and unbelievable claims— “I am a Nigerian prince needing aid from a charitable benefactor,” “Click now to redeem your prize,” “Urgent IRS demand, comply now or face criminal prosecution.” Low effort high quantity phishing scams are still very common, but for high value targets like large companies, government agencies, government contractors, banks, hospitals, universities, and law firms, targeted phishing scams can be much more sophisticated and disguised well enough to trip up attentive security conscious employees.
Indiscriminate phishing attacks are usually easy to detect and contain, but targeted phishing attacks, also known as “spear phishing,” thrive on building a believable narrative. Think of phishing as casting a wide net of emails hoping to catch as many small fish as possible, while spear phishing is focused on landing a single high value target. Scammers can sink many hours researching and tailoring a request to a particular company and individual.
- Who Is This From: A tailored phishing email will usually be in the guise of an authority figure such as a CEO, manager, or department head, but it may also be in the guise of a colleague, family member, or even a competitor or legal opponent—for instance, law firms have been duped into wiring settlement payments to thieves believably impersonating the opposing parties. If its not typical to receive an email from the sender, check the email address for any alterations from the company address format and forward to IT or whoever is in charge of security for the office.
- What Time Is It: Targeted phishing emails often arrive at the end of the day, usually at the end of the work week, in order to make use of fatigue and diminished attention to detail, or else in the early morning in order to place as much pressure as possible to immediately comply at the start of the day. Be aware of the timing in order to evaluate when to be most alert to scam emails.
- What Is Requested: While confidential information is routinely shared by internet across company accounts, if the sender is requesting information that is atypical, already available to the sender, or has any access controls connected to it, it is worth looking into the request before immediately complying. For instance, if a purported company CFO requests employee W2 forms over email, be skeptical. The biggest red flag is if the sender requests a reply to an alternate email address.
To err is human, and one of the best tools to combat phishing is for companies to tailor their own “phishing scams” and track the results. This should not as a “gotcha!” leading to punishment and employee paranoia, but instead to reward vigilance, target training efforts, and give employees a practical sense of what to look out for day to day. Employees should also be comfortable reporting suspected scams to a dedicated email address or help desk, as a short delay to a reply to an atypical email request is far better than a company wide ransomware incident.