How can I protect myself from phishing? Tips and best practices
How can I protect myself effectively against phishing?
Because this type of attack can have serious consequences for companies, such as the leakage of sensitive data, every organization needs to do its utmost to protect itself.
While specific software has been developed for this purpose, we shall see that the human factor, and therefore awareness, remain the best weapons for protecting against these malicious attacks.
That's why you need to redouble your vigilance, ask yourself the right questions when you receive an e-mail, and adopt good practices.
Let's take a closer look.
What is phishing?
Definition of phishing
Phishing is one of the most common computer attacks. We also use the French terms " hameçonnage" or " filoutage" to describe this technique.
What exactly does it involve?
The hacker usurps an identity, such as that of a public body or major corporation, in order to send an e-mail in his or her name and obtain specific actions from the recipient.
To better fool the recipient, the fraudster tries to pass himself off as a trusted sender (by using the sender's logos and graphics, for example). In this way, the victim is encouraged to :
- click on a link to a fake official or mirror site;
- download an attachment;
- reply directly to the e-mail, etc.
Through these actions, the hacker's objectives are manifold:
- obtain personal data, such as bank details or passwords;
- to extract money;
- introduce malware into the e-mail recipient's system.
☝️ This fraud technique is undoubtedly one of the most widespread on the web, as it requires little skill on the part of the cybercriminal. All they have to do is collect data on their future victims (an operation made easier by the growing amount of personal information available on the Internet, social networks, etc.) and then send them a simple e-mail.
What's more, the success of the scam relies heavily on users' lack of vigilance, which, as we shall see, remains the weak point in cybersecurity for organizations.
Impact on companies
Half of all French companies have fallen victim to phishing attacks in the last two years.
Phishing, like all cyberattacks, is on the increase. It can affect any type of company, whatever its size or sector of activity.
At the same time, phishing attempts are becoming increasingly targeted. Indeed, some hackers now take the time to research their future victims, with the aim of sending the most credible message possible.
The main consequences for organizations are
- infiltration of computer networks
- leakage of sensitive data, such as customer files, patents and banking information,
- identity theft, etc.
The repercussions of phishing can be disastrous, both financially and in terms of corporate image.
How can you avoid phishing?
Raise awareness and train employees
In 80% of cases, it is the action of a user on his or her workstation, often carried out unintentionally, that is at the root of cyber attacks.
Prevention remains the best way to protect yourself effectively against phishing, because a phishing attempt is often detectable. However, as we become increasingly inundated with information, we sometimes lose sight of certain details.
That's why companies need to get to grips with this issue, and communicate actively with their employees. Why not organize training sessions , for example?
💡 Some organizations have decided to test their employees . By sending out fake phishing mails, they identify who "takes the bait", so they can react accordingly and instill better practices.
Ask yourself the right questions when you receive an e-mail
By asking yourself the right questions and remaining attentive when you receive an e-mail, you increase your chances of protecting yourself against phishing attempts .
Here are the main points to watch out for:
- The sender : do I know this sender? Have I been contacted by them before?
- The e-mail address : a suspicious e-mail address, or one that doesn't seem serious, is a dead giveaway. If in doubt, type it into Google. If fraudulent, it may already have been reported.
- The nature of the e-mail:
- Does the subject or file mentioned in the e-mail speak to me?
- Does the tone of the text seem appropriate? In general, be wary of e-mails that try to worry you, rush you or put you in an emergency situation.
- Am I being asked for personal information ? You should know, for example, that a bank will never ask you to provide sensitive information over the Internet.
- Content quality : does the content seem to conform to what a sender of this type can send? In other words, look out for spelling mistakes, typos and other inappropriate wording, which are legion in this type of e-mail.
- Links and attachments:
- Check that the URLs of links appear to be correct, with no spelling mistakes. You can, for example, type the target into your browser's address bar to check its reliability.
- Also beware of short links , as they don't allow you to predict where you'll land. 💡 Tip: to check which page a short link will lead to, use online tools such as Unshorten.It!
- Ask yourself if the attachment is suspicious. Does it differ, for example, from the one displayed in plain text? In short, always think twice before clicking on anything in an e-mail.
Adopt good cyber security practices
Here are a few tips on how to combine cybersecurity and business e-mail management:
- Never communicate sensitive data by e-mail , as no organization or company worth its salt will ask you to do so. The same applies to requests to send money (e.g. false payment of shipping costs).
- If in doubt, check the information directly on the sender's secure website or any other official channel .
- Beware of overly tempting offers (lottery winnings, gifts, etc.).
- Always check the security of the sites you visit. If they are reliable, you'll see the following indications in the site's address bar: " https://" and a lock icon.
- If you haven't already done so, activate the anti-phishing protections available in the various browsers.
- Use your work e-mail only for this purpose , and your personal e-mail only for this purpose.
- Avoid using a public Wi-Fi network for your business operations.
- Finally, delete any phishing e-mails that arrive in your inbox, and do not forward them to your colleagues (except to the relevant IT department for action).
Use phishing protection tools
While appropriate human behavior provides the best protection against phishing, the use of certain software and tools is also beneficial.
- 🛠️ Anti-phishing software . Mailinblack, for example, and its Mailinblack Protect solution, which detects fraudulent e-mails and protects you from them. The publisher also offers the Phishing Coach educational tool, which helps companies identify high-risk employee behavior and implement awareness-raising actions with their teams.
- 🛠️ Antivirus . Using a reliable, up-to-date anti-virus software provides better protection against malicious actions following a successful phishing attempt (if you have inadvertently downloaded a fraudulent attachment, for example).
- 🛠️ Password managers . It's advisable to use unique passwords to log in to your various accounts, to guarantee your protection in the event of identity theft. But since the human brain can't remember them all, we suggest you opt for a secure password manager.
Report phishing attempts
Finally, we advise you to report any phishing attempts:
- in your inbox , using the famous "junk mail" and "phishing attempts" tabs. This will protect you from future attacks;
- on Signal Spam and/or internet-signalement.gouv.fr . In this way, you help the authorities to take action and contribute to making the Internet a safer place.
☝️ In the workplace, contact your IT department so that it can react quickly to prevent other, less experienced employees from taking the bait.
What if you've been phished?
Have you realized too late that you've been phished? Here are a few things you can do quickly:
- Report the fraud to your company's IT department as soon as possible ;
- Change all your passwords , to prevent the hacker from accessing your information via the identifiers obtained;
- Contact the relevant organizations . If, for example, you have revealed your bank details , contact your bank immediately;
- File a complaint with the police.