CyberMontana

Stay Safe from Phishing: Tips for National Cybersecurity Awareness Month

Published October 15 2024

October is the 21st annual National Cybersecurity Awareness Month, a time that highlights the importance of maintaining our cyber hygiene and taking small personal actions every day to secure our world. Cybersecurity threats are rising globally, with new challenges from AI, increased data breaches and more bot attacks. Phishing, a practice where a Threat Agent sends messages posing as a trusted colleague or organization to lure the victim into revealing personal information or providing access to their device is a growing and particularly dangerous form of cyber-attack. Small actions can make a large impact on your security from these attacks. However, it can be difficult for individuals and organizations to know what actions they should take, what threats they face and to stay up to date. This blog offers advice on how to detect and prevent phishing to help you stay secure for National Cybersecurity Awareness Month.

What is Phishing?

Phishing attempts typically come in emails or other communications that look like they are from a trusted source, even up to including graphics or logos that appear to match those the source uses. These messages usually urge the receiver to click on a link or attachment or to provide personal information by appealing to their emotions, enticing them by promising to reveal high-interest information, such as new facts about public figures, or by threatening them using the authority of the organization or person they are masquerading as.

Once the receiver clicks the link or attachment, the phisher can use malicious software contained in the file or link to install malware on their device, access personal information or take their device hostage using ransomware. If the phishing attempt instead seeks to get the receiver to submit personal information, it may take the receiver to a website designed to look like a trusted site the receiver frequently logs into to steal their login information. It could also direct them to a site that offers access to intriguing information in exchange for the user submitting their personal information.

What are the warning signs of Phishing?

Some key warning signs that a communication might be a phishing attempt are:

Suspicious email addresses
Grammar or formatting mistakes
Too good to be true offers
Strange or uncharacteristic requests

While a phishing email may appear to have originated from a trusted contact, the email address it was sent from will usually look different from the sender’s normal address. The differences could include the email using an unusual domain, containing odd letters or having unusual strings of numbers. Another warning sign is when the name on an email is from a trusted sender but the email address is not clearly related to that sender. This can be an indication that the sender is trying to masquerade as that individual. Sometimes the email address in a phishing email can look similar to the sender’s actual address but includes slight misspellings or the addition of characters that can only be seen with careful examination.

Many phishing emails contain an unusual amount of grammatical or formatting mistakes not usually seen in professional communications. These can include simple grammatical errors, misspellings of poorly constructed sentences. These emails often also contain extremely generic greetings or are addressed to the wrong person. Phishing emails that use company logos or other visual elements to imitate a trusted source can also contain formatting errors, from visual elements fitting together poorly to these elements being extremely low resolution. If the email seems especially poorly written or odd, it might be a phishing attempt.

A phishing email needs you to engage with it and they often use offers that are too good to be true. If an offer seems improbable or impossibly good, it may instead be a phishing attempt. If you receive an offer like this, check with the supposed source of the offer to see if it is genuine before clicking on any links or engaging with it. When you do this check, do not reply to the message you received and instead contact the organization by calling them or emailing them through your point of contact.

Phishing attempts can also ask that you take strange approaches to what would otherwise be routine actions. These can include asking you to provide money to a vendor in an odd way, supply a colleague or supervisor with personal or confidential information without clear reasons, or provide information/ money to a government entity to cover an unexpected or unfamiliar tax or fee. In these cases, it is always best to contact the organization the request claims to come from to ensure it is genuine before you take action.

When I receive a phishing email, what should I do?

If you receive an email or other message that appears to be a phishing attempt, do not open it, click on any links, or download any attachments. Instead, report the email to IT at your organization or your supervisor so that any breaches related to the phishing attempt can be addressed and the potential threat reported to others. By thinking carefully about the communications you receive and taking steps to ensure that odd communications are genuine, you can prevent security breaches at your workplace.

How do I learn more about Phishing and how to prevent it?

If you want to learn more about phishing and ways to avoid it, the CyberMontana Security Awareness Training (SAT) program offers a free demo lesson for October focusing on phishing. In this short and interactive lesson, you will learn more about how to identify phishing attempts and get to practice your skills in identifying phishes through interactive quizzes and games.

Keep building your cybersecurity

If you are interested in more cybersecurity training, CyberMontana provides SAT for businesses and organizations across Montana to help them learn security best practices and keep up to date with current threats. SAT training includes monthly asynchronous online lessons that employees can complete on their own time to build their cybersecurity knowledge. Each month brings training in a new relevant cybersecurity topic on threats and safety practices.