Is It a Phishing Attempt? 2 Questions to Ask

This month, we wanted to provide a fresh reminder for how critical it is to keep security at the forefront of our minds. Here at ID Agent we have seen an increase in the volume of phishing attempts against our organization, and this will likely continue. It is vital that everyone remains vigilant. In our day-to-day, it is easy to let our guards down. Everyone wants to keep their inboxes empty and their customers happy. That is not unique to our organization–we all struggle with this. Because of this, the bad guys are continuously testing our defenses and are looking for that one opening.

There are two questions everyone should be asking to help combat phishing attacks:

1. Should I be the recipient of this e-mail?

As an example, the engineering team shouldn’t receive invoices. Even if the invoice is from a source with which the engineering team typically corresponds, it should raise a reg flag.

“Why is [example company] sending Danny an invoice? He never deals with that sort of thing.” A call to the vendor supposedly sending the invoice is the quickest route to the answer. Don’t worry–vendors want to get paid. They won’t be mad that you asked.

Solution: Call to verify or inform the correct point of contact and ask them to call and verify.

2. Do I have an account with this 3rd party vendor?

These are really the tricky ones. It isn’t hard for a bad guy to figure out what services are used by a company to support its day-to-day operations. However, knowing who has accounts might be a bit more complicated. So, what happens? They send the phishing attempt to everyone!

Now, many of you may be thinking that you’d know it if it happened. However, let’s take a quick second to think about this scenario.

Barry has nine customer conference calls and a webinar set up for Monday morning. On the way into work he receives an e-mail that his account has been locked out temporarily. Is the first thing on his mind that this is a phishing attempt? Maybe. Or maybe it’s that he has a call with a customer in 3 minutes and he really needs to figure this out. Again, you may be thinking that you’d know if it happened. However, let’s take a look at the real example that just came in recently. If it was addressed to you, would you know? What if it’s legitimate?

Solution: Unless you have directly requested contact (for example, you have requested a password in the last 2 minutes), use the website—not the link in the email—to log in.

There are many other examples of sophisticated phishing attempts, and the most important reminder is to take a moment to think about what you are seeing before taking an action. By educating employees on what to look for, staying on top of the latest tactics being used and reminding everyone to stay vigilant, companies can create a culture of protection and their employees can become the first line of defense.

To learn about ID Agent’s award-wining Phishing Simulator and Security Awareness Training Program built for MSPs, visit the company’s product page for BullPhish ID.