What’s phishing?
“Phishing” is usually referring to the type of cyber attack via email, web and message. Criminals send out a message pretend coming from another department of the company, IT support, or a well-known company such as Apple, Microsoft, or from our business partner. Regardless the what they are trying to be, all they want is to trick you to click on their links or download files.
What does phishing message look like?
It can be a simple plain text email, a well-made web page, an attachment, link within an attachment, etc. The bottom line is, there’s no set format for phishing. It’s like a criminal in the real life doesn’t wear a tag that says ‘I am a criminal’.
What should I do?
Take a look at the sender’s email address
Our email addresses can’t be forged. When they try to mimic one of us, such as support, hr etc, the email won’t be coming from the real email addresses.
To check the sender’s email address in the Outlook app, hover the cursor over the sender and wait for the contact card to show up. Make sure it matches who the sender is claiming.
Don’t click links or attachments in suspicious emails
Until you can verify that an email is legitimate, skip the links. Dangerous URLs, often hyperlinked with friendly language like “click here,” and attached documents may contain malware or ransomware, or lead to a fraudulent website set up by attackers.
Don’t be intimidated.
A common phishing tactic is to threaten penalty, loss of service, or other consequences for not acting quickly. Slow down and look at the message carefully. Could it be phishing?
Never, ever give up your username and password.
IT and all other legitimate organizations will never ask for your username or password, especially via email.
Always Look for the AEP Logo when logging in to Microsoft
Even when you can’t see the URL, you will always see the AEP logo displaying on the left corner, every time, as soon as you have entered your work email on the log-in page.
Get familiar with the email format we use internally
We have used standard formats for AEP internal emails, such as IT service notifications, newsletters, etc. Take a look at them and make sure you are familiar with the look and feel of these emails, the email address we use, the position of the logo etc.
Why we still fall for it?
It is psychological. Phishing attack is taking advantage of the human weakness to against us.
New research on the psychology behind phishing reveals where some of our biases and weak points lie. By being aware of our mental tendencies and our vulnerabilities, we can help safeguard ourselves from ever falling for the bait.
Daniela Oliveira, IOT Professor, University of Florida
However, there is always some kind of logic flaw. For example, an email indicates a high importance level fax notification has been sent to you but requires your Microsoft account to access it. Think about why would it ask for a Microsoft account? Microsoft doesn’t have Fax service, even if there is some login required, it should be for the platform where the fax is stored. If this urgent, why can’t they call or email you directly?
Why me?
It’s not just you, I promise. Everyone gets them. It doesn’t matter if this is your personal or work email address, phone number, you should treat every potential phishing message seriously and equally.
What else can you do?
There are many tools that can help you to identify attacks and protect your important information. Including:
- Use Multi-Factor-Authentications (MFA).
- Use unique passwords for each login required with password management software.
- Do not access the company network when using public WiFi or public computer.
- Never attempt to log in using someone else’s computer or smart device.
- Mark phishing email as ‘phishing’ or ‘spam’ in the email app.