author photo
By Scott Schober
Tue | Jan 10, 2017 | 11:04 AM PST

Phishing attacks cost companies $5 billion globally last year. According to the Wombat 2016 State of the Phish report, 85% of all organizations suffered phishing attacks last year, with no signs of slowing. So how can you avoid getting netted in 2017? I have your top six tips to stay safe. But first, a little more on phishing.

Do people actually open phishing emails? I am asked this question at least once a day, and unfortunately the answer is always YES. According to Verizon’s 2016 DBIR report, 30% of all phishing emails are opened by their targets. That’s a really respectable rate that rivals legitimate mailing lists! So we know that phishing attacks work exceptionally well. Why do they work so well?

Commercial phishing operations

Forget about the idea of a lone fisherman baiting the hook and waiting for a nibble. Phishing operations work much more like large scale fishing operations on the ocean. Huge nets are cast out and hauled hundreds of miles to catch thousands of fish, crabs, debris, etc. In the case of phishing attacks, hackers do not need to be as effective because of the relatively cheap and automated nature of mass emailing. They only need several thousand targets to open, a few hundred to click, and finally a few dozen to enter a password or some other private information. That is enough to pay for the entire expedition with profit to spare once their credentials are harvested or sold on the Dark Web.

In addition to the sale of stolen social security numbers, credit card data, and passwords, inexpensive toolkits can also be found for sale all over the Dark Web. These toolkits create credible emails with brands and logos that will fool unsuspecting users to open and click on attachments and links. With advancements like this, it is no surprise that in Q1 2016 saw a 250% surge in phishing attacks per APW Phishing Activity Trends report. A 2016 Cloudmark survey revealed that spear phishing (highly targeted phishing attacks) are the top security concern for enterprises cost an average of $1.6 million in damages.

It might sound like I’m talking about spam probably because phishing and spam share are closely related. They have different goals and criminals behind them but there is also a lot of overlap too. All unsolicited email is spam but not all spam are phishing attacks. Some spam is junk but harmless email generated by bots and other spam is legitimate but still unwanted by the recipient. All spam works to lure people into opening and naively clicking on an attachment and has become the #1 delivery vehicle for malware. Globally, over 80,000 people click on attachments containing malware, viruses and ransomware everyday.

Look but don’t touch

Phishing attacks fall line with a “look but don’t touch” approach. You can look at that email to see if it seems phishy, but as soon as you click on anything, you are setting yourself up for all kinds of headaches. So if the best way to determine if an email is phishing for you, how can you tell?

I recommend hovering your mouse over the link embedded in the body of the email before clicking on it. Take a moment to see if the link address looks suspicious and if it does, do not click on it. Type the website address of the purported sender directly into your browser to get to your destination safely.

Hackers often have poor spelling and grammatical errors throughout the suspect email. A real company with a solid brand will carefully check for spelling and grammatical errors, unlike hackers who are lazy and typically not native English speakers or writers.

Businesses should never ask you for personal credentials through email. So if you receive an email asking for personal information such as your address, social security number, or anything else of a personal nature, stop and do not click.

If the email is addressed "Dear Valued Customer" or "Dear Consumer," stop right there. Any business that you have registered or corresponded with will use your personal salutation including your first and last name.

If you detect a sense of urgency in the email, take your time and be careful. For example, when you see the subject line claiming ‘your account has been suspended’ proceed with caution. When an email invokes a sense of urgency, it instills fear in recipients in an effort to make them click before thinking.

Hackers are getting better at using convincing familiar logos in an effort for you to let down your guard down and innocently click away. Just because you see a familiar logo does not mean you should be at ease the same way you would if you were in their retail store or on their website.

We might all be swimming around this ocean known as the Internet but that doesn’t mean we have to get caught up in phishing scams. Arming yourself with a little knowledge about email phishing scams can help you think before you click.

Want to learn even more about phishing? Check out SecureWorld's recent web conference, State of the Phish 2018.