Most of us who have been on the internet for a while will know how to spot a dodgy email
Poorly written text with spelling mistakes, suspicious attachments, unfamiliar email addresses – the tell-tale signs are usually there. However, phishing scams are becoming more sophisticated and harder to catch.
Phishing, smishing (text or SMS), and vishing (voice call) attacks have been growing in numbers over the past 18 months and unfortunately aren’t slowing down. With widespread remote working taking force last year, cyber-criminals were able to seize the opportunity that was laid out right in front of them. They were banking on the fact that home security networks were weaker than the ones implemented for office work. And, when security is weakened, the door opens for easier access to sensitive data.
But there are steps we can take to ensure our credentials are kept out of the hands of cybercriminals, in both our working and professional lives.
Be cautious across all channels
Although email is the primary vector for scams, threat actors are becoming much more comfortable with other methods too. Phishing links, credential harvesting sites, and other forms of social engineering can come through a suspicious text, an odd message through your social media account, or a weird phone call to either your personal or work phone line.
To stay one step ahead, it’s important to use the same caution and scepticism regardless of where the message comes from.
Review email addresses
Many times, malicious threat actors can imitate an email address to look almost identical to the impersonated sender at first glance. Check the domain name (the text following the “@” symbol in an email address) matches what you would expect from the sender. What may look like <email@example.com> may actually be <firstname.lastname@example.org>.
If a suspicious text from a number only has a few digits, that is a sign the message was sent by an automated email and could be a scam. Make sure to be cautious of links sent in phish-y texts too as they can infect your mobile device.
Your gut is always right
Cybercriminals look for ways to latch onto already established trust you have in reputable companies, friends, family, and even co-workers. If you receive a message from someone you trust and know, but it seems out-of-character or has an ‘urgent request’, there could be a chance their account was hacked, and someone is fraudulently using their credentials to send messages.
Verify the message by contacting them directly using another form of communication you trust before taking any action. If you are concerned about the security of a co-worker’s account, you should reach out to your Security or IT teams for help.
A password manager is an ally
We know that using a password manager to generate and store your unique and long-character passwords are a must for a strong security posture. But did you know a password manager can help flag a phishing website for you too?
Let’s say you receive a well-crafted phishing email that appears to come from your bank. It looks totally legitimate, so you click the link in the email, are redirected to what appears to be your bank’s website and are met with a request for you to login with your credentials. If your password manager typically auto-fills your credentials on that site but fails to do so – that’s a sign your password manager doesn’t recognize the URL and you could be on a phishing site. Paying attention to this detail could make the difference of whether you hand over your account credentials on a silver platter to a hacker.
Don’t blindly accept multi-factor authentication (MFA) prompts
MFA is a second layer of security that provides an additional step to verify your identity. For example, you may have attempted to log into a personal account for online banking. To ensure the login attempt is you and not someone maliciously using your credentials, you would be prompted to enter your username and password, followed by another form of verification – either a code sent to the mobile device phone number associated with your account or from an authenticator app.
If you receive an MFA request but did not log into an application or website that prompted it, you should immediately ignore or deny the request and change your password to prevent further attempts to get into your account.
As cyber risks continue to grow, it’s important to understand how to best protect our online selves. This starts with knowing what to look out for, and how to spot the signs when something looks slightly off. This has never been truer as our personal and professional worlds have combined. Cybercriminals are always looking for ways to get our personal data, the lesson learnt is: don’t make it easy for them.
About the Author
Dan DeMichele is VP of Product Management for LastPass. We’ve made going online easier and safer since 2008. LastPass Business scales SSO and password management for teams small and large, helping IT be more secure, maintain compliance, and increase productivity of the organization. The last password you’ll ever have to remember.
Featured image: ©Dafart