The stonefish is named for its ability to camouflage itself among ocean floor debris. It is highly venomous, and its sting can be fatal to any human unfortunate enough to step on one. Recognizing and avoiding the stonefish is a swimmer’s best defense, but that is easier said than done.
Like the stonefish, the email phish (or simply “phish”) is a master of disguise, lurking in inboxes and waiting for users to step on them. Its venom is kept in links and attachments, and one click delivers a sting of malware to the user’s computer system. Recognizing and avoiding the email phish is a user’s best defense, but that, too, is easier said than done.
Fish/phish analogy aside, Trevor Buxton, a fraud awareness and communications manager and Certified Fraud Examiner with PNC Bank offers safety tips for individuals and small businesses to help recognize and avoid phishing attacks.
Phishing attacks are designed to resemble legitimate email correspondence and rely on a user’s inability to spot them in order to succeed. Email containing certain red flags should alert users to a possible phishing attack:
Email address spoofing is also a common tactic of phish. The user may not notice an email address has been changed from “@homelender.com” to “@home1ender.com” and may recklessly click links and open attachments, which introduce malware.
Small businesses have the added threat of phishing attacks designed to mimic vendors, couriers, suppliers, clients, colleagues, etc. Employees should ensure that email coming from these third parties is legitimate.
Such business relationships also can serve as backdoor attack routes for phish to infiltrate the objective business itself. Example: The Target data breach of 2013 started with a phishing attack against one of its third-party refrigeration contractors.
Understanding third-party cybersecurity policies and procedures will help small businesses decide which ones are taking it seriously.
Business Email Compromise (“BEC”) is another threat affecting businesses of all sizes. Thieves use BEC to dupe employees into transferring money, releasing HR and payroll data, or exposing trade secrets and intellectual property.
BEC can be carried out by spoofing an employee’s email address, or by gaining control of an employee’s legitimate email account. BEC attacks often appear to come from C-level managers or other positions of authority within the business, adding a level of prestige to the unauthorized request.
Fortunately, there are things which can help individuals and small businesses detect and avoid a phish:
Upon spotting a phish, delete it. Do not click any links or open any attachments. Do not forward it to friends and colleagues.
If compelled to forward a phish, forward it to the FBI’s Internet Crime Complaint Center (IC3).
For more helpful tips on cybersecurity, visit the Federal Trade Commission website
Phishing poses as a legitimate email, but unleashes malware that wreaks havoc. Learn warning signs for safe handling of phishing emails.
Don't be lured into phish. Know the warning signs:
How to fight a suspected phishing expedition: