Don’t fall hook, line, and sinker: how to identify and protect against phishing
In the world of commercial real estate much of our business contains legal contracts and agreements between tenants and landlords, and buyers and sellers. In recent years, commercial real estate has become increasingly more digital in how it manages its transactions and confidential information. With that in mind, steps must be taken to protect all parties involved. We rely on enterprise solutions for email encryption, threat protection and email archiving. We need these solutions to be productive, while keeping security and compliance at the forefront of everything we do. However, phishing impersonators have become very savvy and continue to threaten many businesses and individuals. Some of the most ubiquitous impersonators and repeat offenders include:
- U.S. Department of Treasury I
- Google Password Manager
- Title Assurance Companies
- Accounting/Financial firms
- DocuSign
These phishing operations are more sophisticated than ever, and their cleverness can easily fool. Beware and protect yourself from falling hook, line, and sinker. Fortunately, there are ways in which you can identify a phishing scam, and we’ll detail the steps that can help.
If something smells “phishy,” most of the time it is, unfortunately. As a rule, when in doubt proceed with caution before acting on requests for information, and always practice due diligence.
The objective of phishing attacks is to steal your identity, or that of a business, which in turn gives the attacker what they need to steal your money or compromise your businesses’ financial assets. The email attempts to coerce you into revealing passwords, credit card numbers and banking information, but it is presented in such a way that it makes the user believe it is legitimate.
Sadly, cybercrimes are a growing trend because of how we now live online and how effective it is. Phishing operations are successful in not only using email, texting and direct messaging via social media platforms, but also through video gaming. When it comes to cyber security, you can never be too careful. In the case of phishing, offence is the best defense. Invest in your businesses’ IT security, educate employees and make sure everyone in the company understands the importance of weeding out suspicious inquiries that are often scams.
Here are 5 ways to identify a phishing email:
- Spelling mistakes and bad grammar: If receive an email from the Dept. of Treasury with apparent spelling mistakes and grammatical errors, it’s sufficient to say it’s a scam. Emails with such errors are often the result of bad translations from a foreign language. Oftentimes, they are intentional to try and dodge filters that scan for such attacks.
- Threatening language with an urgent call to action: Emails that request the recipient to act urgently or click said “link” immediately. This is a trick of the trade when it comes to phishing attacks. The aim is to establish a false sense of urgency and catch the recipient off-guard before exercising due diligence and consulting with a trusted partner.
- Messages from an External party/first-timer or identified as an infrequent sender: In business, it’s not uncommon to receive a meeting request with a link from a user outside of the organization. However, be cautious with your approach and examine the details carefully. When in doubt kick it over to IT and have them take a more in-depth look.
- Suspicious email domains: Emails that claim to be from reputable organizations with an email domain like Yahoo are typically a red flag. Also, looking out for intelligent spelling mistakes of genuine domain names, such as replacing the letter O with a 0 is one of the most common.
- Links and attachments: For example, if you receive an email from a Title Company containing a link with wire transfer instructions call the escrow officer managing your transaction specifically to verify the information before clicking and link or sending funds. Freud in this area is increasingly on the rise and we have heard firsthand accounts of the fallout it can cause.
- Click reply: This allows you to see who actually sent the email. Usually it is an email name that has nothing to do with the request.
If you do fall victim to a phishing attack, there are actions to help minimize the damage. First, if you recognize an email to be a scam, delete it immediately and flag it internally with your staff (and alert your IT department if you have one) to make sure the company and its employees are not compromised. If it is too late and you have been effectively phished here are the next steps you should take:
- Make note of everything about the email you can remember such as did you provide password information, or anything directly linked to your personal identity.
- Change device passwords, email, all accounts affected immediately! Remember to create unique passwords for each and everyone.
- Use apps such as Google Authenticator and confirm that you have the multifactor authentication switched on for all accounts.
- If it compromises your business or personal accounts, you should reach out to your bank and credit card companies to notify them of potential fraud.
- If you believe your identity was stolen, contact local law enforcement and explain the situation.
Today, many think they can outsmart scammers by relying on security tools and features, but the reality is that an estimated 3.4 billion phishing emails are sent every day. In the busy world of business, we can get so wrapped up in the next deal or meeting that such emails can easily slip through the cracks (or inbox). The next time you receive a suspect email inquiry, proceed cautiously. Read and check for spelling mistakes and phony domain names. Doing so may just keep you and your business from taking the bait.