Phishing attempts rose in Canada in 2021, and the attackers behind them are becoming savvier and more convincing as time passes.
While we have all received spam over the years, phishing is a sophisticated and targeted message that can easily fool even the most savvy user. These messages can appear to be from known members of the organization, and information such as phone numbers, company logos or email signatures can appear to make the message seem as legitimate as possible. The subject lines are often relevant, and the messages are pertinent.
Phishing messages mimic a message from a trusted person or brand in an attempt to steal sensitive information or gain a foothold inside a company network. While phishing emails are by far the most popular, these attacks can also be sent through text message, social media and by phone.
These messages often include a link or attachment that will install malware directly on your computer, and can even open access to your company’s network or create backdoor access to reinfect the network later.
While some phishing emails can be generic, companies across Canada experienced more targeted versions last year:
Spear-phishing: These messages are sent to specific targets within a company, such as an individual found through LinkedIn or a group highlighted on the company website. The goal of spear-phishing is to use publicly available information from websites and social media accounts to craft believable messages using the recipient’s personal or professional characteristics and interests.
Whaling email: These messages impersonate a C-level executive and use authority to convince high-profile individuals or senior executives at a company to provide sensitive information on a deadline.
These targeted messages have allowed increased success in Canada and have added more instances of phishing in Canadian corporations. Canadians lost $38 million to phishing scams in 2021 where criminals claimed to be with the government or legitimate businesses according to the Canadian Anti-Fraud Centre.
As these messages become more personal and targeted, it’s important that all staff members know what phishing is and key things to look for. Something might be phishy if:
- The sender’s name, email address or phone number isn’t recognizable
- The domain name doesn’t follow your company’s standard brand guidelines
- The top-level domain is different, for example it’s from a .org or .ca email address instead of a .com
- There are grammatical errors or typos in the message
- Sensitive or personal information is being requested either in the message or in a linked form
- Links take you outside the company website
- The sender makes an urgent request with a deadline
- The offer sounds too good to be true
No one’s perfect, and if you realize you’ve clicked a link or opened an attachment you shouldn’t have, take the following steps:
- Stop using your device
- Disable Wi-Fi or disconnect network cables so the device can’t communicate with the Internet
- Power off the device
- Contact your IT security department if you’re using a corporate device—they can disable accounts and other device features
- Change your password, passphrase or PIN using a different device
- Scan the device using anti-malware software if possible
- Restore network connections only when you believe you have a clean system
- Perform any available updates and security patches on your device
- Monitor your accounts regularly for suspicious activity
Phishing emails can steal sensitive data and cost companies’ reputation. But protecting a company from these scammers doesn’t need to be difficult with the proper knowledge and actions should something happen.