How to Protect Against Phishing?

Phishing attempts to steal sensitive information via email, websites, texts messages, and other forms of electronic communication. They pretend to be official communications from legitimate individuals or companies.

Cybercriminals are known for trying to steal passwords, usernames, credit card details, information from bank accounts, and other credentials. They can use stolen information to hack accounts, steal money from credit cards and bank accounts, as well as identity theft. This information could also be sold on underground cybercriminal markets.

Social engineering attacks exploit a user’s lapses in decision-making. Never send sensitive or personal information via email, unknown websites, or by phone. Phishing emails are intended to make it appear that they are legitimate.

Learn how to spot a phishing scam

Awareness and education are the best defense. Unsolicited email attachments and links should not be opened, even if they come from a trusted source. Be cautious about opening attachments from unknown sources. Verify the URL before you open them.

Enterprises need to train employees to be cautious of communication asking for financial or personal information. Employees should be instructed to immediately report any threat to the security operations team of the company.

These are some of the warning signs that a phishing scheme is in place:

• Links or URLs in emails do not point to the correct location or to a third party site that is not associated with the sender. In the example below, the URL you will be taken to is not the one provided.
• Requests for personal information are made. This could include financial or banking information, social security numbers, or financial information. In general, official communications will not request personal information via email.
• The email address will be modified to include items that are similar to legitimate email addresses but with added numbers and changed letters.
• This message is unexpected. Consider this suspicious if you receive an unexpected email from a company or person with whom you do not usually deal.
• You are asked to enable macros, adjust security setting, or install applications. This is not something you’ll be asked to do in normal emails.
• The message contains typographic errors. Legitimate corporate messages are less likely have typographic errors or grammatical mistakes or to contain incorrect information.
• The sender email address does not match the signature in the message. An example: A email purportedly from Mary of Contoso Corp but the sender address was john@example.com.
• There are multiple recipients listed in the “To” field. They appear to be random addresses. Normally, corporate messages are sent directly to the recipients.
• The greeting on the message doesn’t address you personally. Other than messages that incorrectly address another person, malicious greetings include those that misuse your name and pull your name from your email address.
• Although the website appears familiar, there are inconsistencies and things that aren’t right. Signs that warn include typos and outdated logos. They also ask for additional information that isn’t required by legitimate sign in websites.
• The page that opens is not a live page, but an image that looks like the site you’re familiar with. You may see a pop-up asking for credentials.

Contact the business via known channels if you are unsure.

Software solutions for businesses

• Microsoft Edge, Windows Defender Application Guard provide protection against targeted attacks that use Microsoft’s hyper-V virtualization technology. The Hyper-V container will block access to enterprise data if a browser is found not trustworthy.
• Microsoft Exchange Online Protection provides enterprise-class reliability, protection against malware and spam, and allows for email access during and after emergencies. EOP provides different layers of spam filtering. This will enhance your protection services.
• To help protect your files and email from malware, use Microsoft Defender. It provides protection for Microsoft Teams, Word Excel, PowerPoint and Visio as well as OneDrive for Business. It enhances protection against malicious links and protects against unsecure attachments.

What to do if a phishing scam has taken place to you?

If you believe you have been the victim of a Phishing Attack:

1. If you’re on a work computer, contact your IT administrator
2. Change all passwords immediately.
3. Notify your bank or credit card company if you suspect fraud.

Reporting spam

• Outlook.com – If you receive suspicious emails asking for personal information, check the box in your Outlook inbox. Select the arrow to the right of Junk and then choose Phishing.
• Microsoft Office Outlook – While you are in the suspicious message, choose Report message and then select Phishing.
• Microsoft – Create a blank email message and send it to one of these recipients:
  • Junk: junk@office365.microsoft.com
  • Phishing: phish@office365.microsoft.com

  Drag and drop junk or phishing messages into the new message. The junk or phishing email will be saved as an attachment to the new message. Do not copy and paste content from the message. We need the original message to inspect the headers. For more information, please see Send spam, non-spam and phishing messages to Microsoft for analysis.

• Anti-Phishing Working Group: phishing-report@us-cert.gov. This group uses reports that are generated from emails to combat phishing scams, hackers, and other forms of cybercrime. These include ISPs, security vendors and financial institutions as well as law enforcement agencies.

If you are on a suspicious site

• Microsoft Edge – While you are on suspicious sites, click the More icon Help and Feedback Report Unsafe Site. To report the site, follow the instructions displayed on the webpage.
• Internet Explorer – While on suspicious sites, click the gear icon and point to Safety. Then, select Report Unsafe Website. Follow the instructions displayed on the webpage to report the site.