Lenovo’s Richard Rushing says phishing attacks are on the rise, but you can stop them.
The shift to working and learning from home since the start of the COVID-19 pandemic has come with a rapid rise in an old security problem: phishing.
Almost as old as email itself, phishing involves scammers sending emails that look like they’re from a credible source, such as your bank, part of the government, or even your own company. The goal is always to get you to reveal personal or sensitive information.
This year phishing attacks have soared, according to Richard Rushing, Chief Information Security Officer at Motorola.
“It’s going through the roof, up 200-300% depending on the industry,” Rushing said of the rise of phishing emails
And while it isn’t new, phishing has become far more sophisticated – and sinister – in recent years, Rushing said.
“Phishing is getting much more psychological in nature, really leveraging timely events to incentivize the human thought process to respond,” Rushing said. “They will use the latest news, such as claiming to provide information about new COVID cases in your neighborhood. Even more, the design can be very sophisticated, so that the email looks like it’s coming from a real news site.”
The reason phishing is on the rise is that it works. It’s easy for a hacker to send mass emails. More importantly, phishing remains common because there isn’t much that can system administrators such as Rushing can do from a technical side to solve the problem. In the end, it comes down to whether the fraudster can get someone to click on the email.
“It really involves around human interaction and tapping into people’s desire to be helpful,” Rushing said. “Just like if you have your arms full, I’ll hold the door for you. That same decent instinct often kicks in when you get a message asking you for help.”
That instinct to help kicks in more when the email comes from someone claiming to be connected to you or looks like an official email from your company or bank.
Greed is another emotion that fraudsters exploit. Early phishing examples include someone in a war-torn country claiming to have millions of dollars that he couldn’t get out of the country, unless perhaps you could provide your bank account information. Today, it’s more likely to be a $100 gift card if you just provide some “basic information.”
And fear laced with urgency is another phishing genre, asking you to contact someone immediately about problems with your credit card or impending penalties from the government.
“When we get a message where we need to do something NOW, we just burst into firefighter mode,” Rushing said. “These instincts are why we will always have phishing.”
And while losing money is one risk, phishing is also on the rise because hackers want to leverage employees working at home to try to get inside the network of corporations, government agencies, banks and other high value targets to steal an even bigger prize: confidential data.
So what can you do to fight this never-ending problem? Rushing has some tips.
Understand that this is a problem that isn’t going away and doesn’t have great technical solutions. By simply keeping that in mind, you’ve already taken a step to solving the problem.
Stay Alert of Suspicious Emails, Links or Attachments: “Typically these emails request immediate action and seem a bit unusual. If you haven’t seen an email like that, or a high ranking executive emails you for the first time ever, be suspicious. Hover over any links and carefully examine the address. If you haven’t heard of it, or it appears just a few letters off, don’t click until you are 100% sure it is okay.”
Report Suspicious Activities: “Always report suspicious activity because it helps keep the whole organization safe. Typically, such an attack isn’t at one person, usually 10-300 people getting at same time. By alerting IT, an incident can be scaled back to no incident at all. Even if you DID click on something you shouldn’t have, let your IT team know quickly.”
Use Common Sense – Trust your instincts: “This is really important in phishing. People have intuition that something is wrong. Maybe the way it’s worded, or you have a gut feeling of ‘why is this person asking me?’ Maybe it’s the grammar, or punctuation. If it seems wrong, check it out, and let IT know.”
Emails, Text, Instant Messages Requesting Login Credentials, Payment Information or Other Sensitive Information, NEVER give it to them. “Not just email, text, instant messages, phone calls — anything requesting information – just don’t give it out. There is never a reason for anyone to do that. Validate who they are, look up phone number and ask them. The IRS, TSA, they are not coming to get you that way. Bank of America won’t come and ask for your credentials or Social Security Number. Criminals are good and know how to take bits of information and convince you to give more information. They just need last little element, so don’t provide it.”
Don’t be intimidated; when in doubt, reach out. “I see so many cases where people suspect something but just give in anyway. Cybersecurity is overwhelming and it’s easy to fear that you’re dealing with a bunch of international criminals. Remember that you have the high ground. They need for you to give information and if you don’t, they’ve failed. It’s a blanket thing, if you don’t disclose, don’t click, don’t give information, you’ve won that battle. And if you’re not sure, reach out to cybersecurity team. No one is going to penalize you for not acting on something that looks suspicious.”
This blog post was originally written by Andrew Barron for Lenovo StoryHub.