Phishing is an attack where threat actors try to use 社会工程 to send spam emails that look like they come from legitimate sources. The messages are designed to entice recipients to click through a link to a fake website or download an official-looking file that carries a malware payload. 一次执行, the recipient is prompted to provide sensitive or personally identifying information which is captured and sold to interested third-parties.
Why Phishing is a Major Risk for Businesses
Phishing attacks starts with an email designed to convince the recipient there is an urgent need to click through a link or download a file. Emails like this used to be easy to spot. They were riddled with typos and the language used sounded unnatural because the threat actors creating the messages usually spoke English as a second language.
You may still occasionally see emails that fit that description, 但随着网络ballbet贝博足彩威胁的成熟, phishing emails are getting harder to spot. Threat actors have even begun to personalize emails so they are more convincing, and it’s working. 30 percent of phishing emails are opened, 根据树皮.
对于企业来说,这是个坏消息. It means that your data is far more at risk than you may have thought. So, how does a business defend against phishing attacks? 第一个, understand what a phishing attack looks like and next, educate your staff about email security threats.
识别钓鱼邮件
Phishing emails are all about gathering personally identifying information. They’re targeted to get the recipient to provide that information based on a compelling reason combined with a link that leads the user to a convincing, 但是假的, 网站地址. The best way to spot a phishing email is to check the links in the email, without clicking them. To do this, hover your mouse pointer over any link in the email message. You should see a pop-out that displays the address the link leads to. 在某些情况下, 而不是弹出来, you’ll see the address displayed in the bottom right corner of your browser. Do not click the link until you’re sure it’s safe.
When you see the link displayed, it could look very similar to a legitimate web address. It may only be off by a few letters. 例如,代替a .Com地址,您可能会看到 .co, .biz, or even an extension for another country, like a .cz, .pl或 .ru. Everything else on the email could look real. There may not be a single misspelling, and the email might even be personalized to you, but if there are links to click through, take a couple of seconds to look at the link address. 你可以防止网络钓鱼攻击.
Even if a web address looks legitimate when you hover over it, 如果你有疑问, 不要点击链接. 而不是, open a new browser window and type the main 网站地址 of the company that supposedly sent the email. 当你进入他们的网站, you should be able to tell pretty quickly if the email was legitimate or not. If you’re still in doubt, you can always call the company.
Never Download a File You’re Not Expecting
The other half of preventing phishing attacks is to recognize that downloading files is dangerous business. Threat actors use downloads to deliver a virus, worm, or other malware. And since those criminals may have hacked someone that you know, it’s not wise to trust any file you aren’t expecting.
As a general rule, don’t download anything you don’t know is coming. It’s tempting because the email will come from someone you know, and it will probably have a subject line designed to initiate action, 如: 马上看这个! or 你必须马上看这个!
The subject line is crafted to get an emotional response; to create urgency so you’ll download the file without thinking. 不要这样做. If there is any doubt, contact the person that send the email and ask them about it. 但 don’t reply to the email with the attachment. 而不是, create a new email or even better, give the sender a call.
教育是最好的预防
Phishing attacks are so successful because it’s difficult to defend against them. They leverage the one weakness that no program can be designed to monitor: humans. Phishing attacks play on human emotions, and they work. The best way to prevent the damage caused by a phishing attack is to train every employee on the dangers of phishing and on how to recognize a phishing email.
It also helps to have security policies in place you can share with your employees. Develop policies around downloading files, 点击链接, 创建密码, and sharing information with people outside the company. Then take the time to implement training programs to educate your employees on the threats, 风险, and methods of prevention for phishing and other cybersecurity attacks.
Finally, realize that training is not a one-and-done situation. You must retrain employees frequently, to expand and refresh their knowledge. A regular training program also ensures new employees are included in the education and reduces the likelihood they will click on a phishing attack.