Cybersecurity Tuesday Tip: Beware of Phishing

Cybersecurity Tuesday Tip: Beware of Phishing

By Travis Thompson, ATSSA Director of Information Technology

Travis Thompson

It’s a typical Friday afternoon at the office when suddenly you receive an urgent message from the company owner. A vendor needs to be paid $100,000 or it will stop working on an important project immediately. You quickly copy down the payment instructions and send the requested funds. Crisis averted!

Or so you thought.

Unfortunately, it wasn’t the company’s owner that sent the email. And the payment? That landed in the hands of a cybercriminal. You were phished!

This month, which is Cybersecurity Awareness Month, we’re offering tips each Tuesday to help protect businesses from cyber threats.

Today we take a look at phishing. This video from the federal government’s Cybersecurity & Infrastructure Security Agency (CISA) is helpful for understanding the topic.

Phishing occurs when bad actors trick us into clicking malicious links, opening harmful attachments, providing confidential information, or sending monetary funds. Phishing attempts usually come in the form of an email, text, direct message on social media or a phone call. Bad actors design these communications to appear as though they come from a trusted person or organization.

While phishing has many forms, these are some of the most common:

1. Credential theft: When a malicious link is clicked, victims are directed to a realistic-looking login page for a service such as an email or financial account. An unsuspecting victim enters his or her username and password, which is captured by the bad actors for exploitation. Bad actors may use an email account to target known contacts or they may immediately withdraw funds from a financial account.
2. Ransomware: When a harmful file is downloaded by an unsuspecting victim, bad actors infect the victim’s device with malicious software, like ransomware, which can be spread to other devices within an organization. Ransomware is a type of software that encrypts files and data, causing them to be unreadable. Bad actors demand a ransom to be paid in exchange for a decryption key. Even if the ransom is paid, there is no guarantee the decryption key will work or that the data has not been copied and exposed. Victimized businesses often experience significant disruptions for months after an attack.
3. Impersonation: Phishing messages may appear to come from a trusted person of authority – such as an accountant, senior executive or business owner. These messages usually convey a sense of urgency and seek to exploit a victim’s emotions into providing confidential information or sending funds to a bad actor disguised as a legitimate entity.

Phishing attacks, like those described above, are common in the roadway safety infrastructure industry and have devastating effects on businesses and employees.

To avoid the harm and business disruptions that come from falling victim to a phishing attack, stay safe with these three simple tips:

1. Recognize – Look for these common signs:
   • Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
   • Requests to send personal and financial information
   • Untrusted shortened URLs
   • Incorrect email addresses or links, like amazan.com
   • A common sign until recently was poor grammar or misspellings, but in the era of artificial intelligence (AI) some emails will now have perfect grammar and spelling, so watch for the other signs.
2. Resist: If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to your IT department to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report it via the “report spam” button in the toolbar or settings.
3. Delete: Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.

For business leaders, it is important to take two additional steps to protect your organization:

1. Train employees to recognize and report phishing: Teach employees to recognize and report phishing attempts. Create a culture of awareness by talking about phishing regularly. Consider utilizing a commercial phishing training program to help train employees.
2. Implement internal controls: To protect against phishing attempts that request access to financial accounts or request the transfer of funds, implement internal controls that require multi-person approval prior to access being granted or funds being transferred. If a vendor requests that payment instructions be updated, contact the vendor by phone using a known number to verify the change.

CISA also offers additional resources to increase awareness about phishing as part of its “Secure Our World” theme for Cybersecurity Awareness Month.

Tune in next week for tips on using strong passwords.