Every organization should have a security awareness program. If you don't, start making preparations to run one. One area you can start is instruction on the dangers of phishing. The Security Awareness category on Best of Roy will show topic ideas to keep in mind for your program.
A phishing attack is simply a message or website that appears real but is designed to only look convincing. Usually, a lot of the underlying functions do not actually work (like the unsubscribe button in an email or the login form of a website).
Many spam or bulk email messages flagged for abuse contain variations of phishing. Attackers bait users by fishing for personal information, usually banking details or account information.
If you click a link, always check the domain in the link to make you are going to the real website and not some quick mockup designed to steal your information. For example, make sure you’re visiting google.com instead of google.somewebserver.hacker.com.ru.
Best practices for defending against phishing attacks include:
- Do not open attachments from emails you aren’t expecting.
- Do not click links from unsolicited or unexpected email.
- Do not respond to threats from emails. If you have a legitimate concern about the status of your account or whatever is being threatened, contact the company you do business with directly.
- Do not submit strange forms (surveys requiring unnecessary personal information).
- Do not email personal or sensitive information.
- You did not win the lottery without playing, you did not receive a personal government grant (not possible), or any other random revelation that’s too good to be true.
What phishing awareness measures do you take or what email safety tips do you give to your organization?