Don’t Get Hooked: Protect Yourself from Phishing and Phone Scams
Fraud attacks are on the rise, and with the rapid evolution of artificial intelligence (AI), this threat becomes harder to detect and easier to scale. An APWG study found that phishing attacks reached a new record in Q3 2022, with a 488% increase in business email-based attacks. And according to Verizon, 74% of attacks involved social engineering, human error, or misuse.
But as scammers become smarter and use calculated strategies to manipulate your team into divulging sensitive data, it’s possible to add safeguards to your process. Fraudsters carefully target their victims, often by impersonating companies, trusted vendors, and even internal executives.
To protect your organization, it’s vital to understand how these fraudulent activities work and to use solutions that safeguard you against potential theft and loss.
What is phishing?
First, let’s review what we mean by phishing. A phishing scam is a practice of sending emails or another form of communication while impersonating real companies or individuals with the intent of extracting sensitive data. Scammers often look for login credentials, credit card numbers, bank account numbers, names, addresses, and similar information. As a result, phishing is considered a form of social engineering, which is a set of techniques that manipulate targets into behaving a certain way.
It’s common for fraudsters to use email to access this information. However, phone phishing attempts are on the rise. In this case, fraudsters can use AI to mimic the voice of people you know—your boss, coworker, contractor, or customer.
A phishing attempt is possible on any communication channel.
So how do you protect yourself and your company?
When in doubt, think before you react & ask yourself…
When possible, ask yourself a series of questions before answering any email, phone call, or other suspicious message asking for an immediate response. These questions can help anyone reduce the likelihood of human error and make it easier to ignore social engineering threats.
Before answering that phone call or email, ask yourself:
- Is this too good to be true?
- Are you being pressured into making a quick decision/taking action by creating a sense of urgency?
- Is this a legitimate and safe hyperlink?
- Do I know who sent me this attachment? Was I expecting this attachment?
- Am I confident I know who this is from, and are they a part of my safe senders list?
- Is this a normal request from this organization or an individual?
- Is there a way for me to verify this request?
It can be useful to provide these questions in an employee handbook or as a checklist for your team members.
However, there are additional steps you can take to protect yourself from phishing scams.
What can I do to stay safe?
Part of the reason that phishing scams are so prevalent and successful is that they use technology and business norms to trick people.
For example, fraudsters like to catch you by surprise. When an individual reacts spontaneously, it’s easier to interrupt the regular security process. To do this, scammers will attempt to gain trust by name-dropping coworkers, pretending to work with company executives, or claiming to be known vendors. They may act like they know some account data and that this request is part of a new process. Usually, the tone of the call is urgent and is meant to prevent you from verifying the situation.
But, there are often physical and verbal cues to let you know something may be wrong. You may notice fake numbers on the telephone display. In the case of an email, the sender’s email address has a spelling error, uses a general Gmail domain, or uses a strange variation of your organization’s address (email@example.com vs. firstname.lastname@example.org).
A common tactic scammers use is to say they have the wrong number on file for a coworker or manager, and they ask to be connected to the right person.
Despite these signs, it can be difficult to determine whether or not the call or email was genuine. To balance work etiquette and security, approach each suspicious message with the following tips in mind:
- Ensure your systems are up-to-date and compliant, such as adhering to PCI-compliance standards
- Be friendly but firm
- Don’t give into urgency or pressure—there is always time to verify details
- Instead, offer to return the call once you can confirm
- Never provide important information like account data, colleagues availability, or contact information for coworkers or customers
- Always inform your manager or security officer of suspicious activity
- Regularly update personal and work apps and operating systems
- Be cautious when using public hotspots
- Never save confidential data
- Always use passcodes, and preferably use two-factor authentication to increase security
- Don’t discuss confidential matters or confidential figures, passwords, etc.
- Don’t leave unsecured Bluetooth or Wi-Fi networks active when not needing them
- Verify unknown numbers and emails before responding
- Ensure apps downloaded come from a trustworthy source (some apps provide access to private data without your knowledge, like your location, contact list, camera or microphone, etc.)
- Automate processes whenever possible to reduce the potential for human error and social engineering
Reduce the potential for fraud
There’s no doubt that AI and modern technology have made it easier for scammers to deceive consumers and businesses alike. Today, these fraudsters can almost seamlessly mimic official websites, email addresses, and executives.
But a business must conduct due diligence regularly to protect itself and its customers. While this can be a cumbersome process when performing these checks and balances in-house, even industries that have internal team requirements take care to work with reputable and secure vendors.
One of the most vulnerable areas for any business is its payment process. Payment workflows handle sensitive customer data, and manual steps increase opportunities for scammers to penetrate your defenses.
Fortis is at the forefront of secure payment technology. With our award-winning APIs and embedded payment solutions, our platform enables businesses to take full control of the process without taking on additional liabilities.