Phishing is an attack where threat actors try to use social engineering to send spam emails that look like they come from legitimate sources. The messages are designed to entice recipients to click through a link to a fake website or download an official-looking file that carries a malware payload. Once executed, the recipient is prompted to provide sensitive or personally identifying information which is captured and sold to interested third-parties.

Why Phishing is a Major Risk for Businesses

Phishing attacks starts with an email designed to convince the recipient there is an urgent need to click through a link or download a file. Emails like this used to be easy to spot. They were riddled with typos and the language used sounded unnatural because the threat actors creating the messages usually spoke English as a second language.

You may still occasionally see emails that fit that description, but as cybersecurity threats mature, phishing emails are getting harder to spot. Threat actors have even begun to personalize emails so they are more convincing, and it’s working. 30 percent of phishing emails are opened, according to Barkly.

For businesses, this is bad news. It means that your data is far more at risk than you may have thought. So, how does a business defend against phishing attacks? First, understand what a phishing attack looks like and next, educate your staff about email security threats.

Recognizing a Phishing Email

Phishing emails are all about gathering personally identifying information. They’re targeted to get the recipient to provide that information based on a compelling reason combined with a link that leads the user to a convincing, but fake, website address. The best way to spot a phishing email is to check the links in the email, without clicking them. To do this, hover your mouse pointer over any link in the email message. You should see a pop-out that displays the address the link leads to. In some cases, instead of a pop-out, you’ll see the address displayed in the bottom right corner of your browser. Do not click the link until you’re sure it’s safe.

When you see the link displayed, it could look very similar to a legitimate web address. It may only be off by a few letters.  For example, instead of a .com address, you might see a .co, .biz, or even an extension for another country, like a .cz, .pl, or .ru. Everything else on the email could look real. There may not be a single misspelling, and the email might even be personalized to you, but if there are links to click through, take a couple of seconds to look at the link address. You could prevent a phishing attack.

Even if a web address looks legitimate when you hover over it, if you’re in doubt, don’t click the link. Instead, open a new browser window and type the main website address of the company that supposedly sent the email. When you get to their website, you should be able to tell pretty quickly if the email was legitimate or not. If you’re still in doubt, you can always call the company.

Never Download a File You’re Not Expecting

The other half of preventing phishing attacks is to recognize that downloading files is dangerous business. Threat actors use downloads to deliver a virus, worm, or other malware. And since those criminals may have hacked someone that you know, it’s not wise to trust any file you aren’t expecting.

As a general rule, don’t download anything you don’t know is coming. It’s tempting because the email will come from someone you know, and it will probably have a subject line designed to initiate action, like: Look at this immediately! or You need to see this immediately!

The subject line is crafted to get an emotional response; to create urgency so you’ll download the file without thinking. Don’t do it. If there is any doubt, contact the person that send the email and ask them about it. But don’t reply to the email with the attachment. Instead, create a new email or even better, give the sender a call.

Education is the Best Prevention

Phishing attacks are so successful because it’s difficult to defend against them. They leverage the one weakness that no program can be designed to monitor: humans. Phishing attacks play on human emotions, and they work. The best way to prevent the damage caused by a phishing attack is to train every employee on the dangers of phishing and on how to recognize a phishing email.

It also helps to have security policies in place you can share with your employees. Develop policies around downloading files, clicking through links, creating passwords, and sharing information with people outside the company. Then take the time to implement training programs to educate your employees on the threats, risks, and methods of prevention for phishing and other cybersecurity attacks.

Finally, realize that training is not a one-and-done situation. You must retrain employees frequently, to expand and refresh their knowledge. A regular training program also ensures new employees are included in the education and reduces the likelihood they will click on a phishing attack.