If you’ve watched the popular series Chernobyl, you might recognize the rhyming Russian phrase: “Doveryai, no proveryai.” Or perhaps you know it better in English: “Trust, but verify.”
We place a lot of trust in our online interactions. Every time you click a link in an email or put your credit card into an app on your phone, you are trusting that the people on the other end of that transaction are using that information respectfully and responsibly. Unfortunately, not everyone is worthy of that trust, and this is where that “verify” part comes in.
Most online interactions are legitimate — simple exchanges of information that we do every day. However, about 75% of companies are affected by cybersecurity threats of some kind. These attacks can result in information theft, compromised technical systems and financial loss. Increasingly, most threats don’t come from programmed viruses or malware — they are the result of a practice known as phishing.
Phishing is a type of social engineering, using technology as the medium to influence and compromise its victims, with the goal of gaining access to personal or financial information. Usually a phishing attack looks like a legitimate email that we see in our Inboxes every day, with an urgent message to click a link or call a phone number to resolve an issue. While phishing can be quite convincing, there are often telltale signs you can look for to help you know when you might be subject to a phishing attack.
Signs of Phishyness
- Simple Mistakes
We all make mistakes, but phishing emails are often characterized by unusual spelling and grammar errors. Pay special attention to the URLs in links – even a single letter off can mean you’re getting led to an illegitimate destination.
For Example: A link to sanmar.com is legitimate, while a link to samnar.com is almost certainly an attempt at phishing. The differences can be subtle, and the most successful attempts are often difficult to detect.
- Abnormal Processes
Most established businesses have processes and procedures that they use for every interaction. If the email you’re looking at is asking for you to initiate a transaction in an unusual way, it might be a phishing attempt.
For Example: SanMar does not have a system for changing payment processing methods via email. If an email from us is asking you to change your payment method by clicking a link in the email, it is a likely phishing attempt.
- Out of Character
Most companies you work with have a certain voice and style you’re used to. If you receive an email that simply feels unexpected or wrong for that company, then you might be catching the distinct whiff of a phishing attempt.
For Example: A message from SanMar will always adhere to our founding principles of telling the truth and being nice. If a message you receive has an aggressive, dismissive or insulting tone, it’s a good bet it didn’t come from us.
In Case of Phishing
If you see any of the above red flags and suspect phishing:
- DO NOT click any links or call any phone numbers in the email
- DO NOT download any attachments
- DO NOT reply to the email directly
- DO contact a trusted source at the company separately to see if they know about the email
- DO contact an IT expert to determine if the email is legitimate
- DO delete the email immediately if you determine it is a phishing attempt
At the end of the day, it still comes down to “trust, but verify.” If something feels off, trust your gut. If something about an email you received smells fishy, take a closer look — it might just be phishy.