Phishing attacks are a kind of social engineering – convincing people to behave in a particular way. And social engineering is by far the greatest threat to the security of computer networks. Social engineering attacks account for 70 – 90% of all computer attacks.
This video was originally published in March 2020.
What is a Phishing Attack?
We’re goin’ phishing. And no, I don’t mean the kind of fishing that involves rods, reel, and bait. I’m talking about phishing with a “ph” – those emails or text messages that try to induce you to surrender your account information or, worse for your dealership, click on a link that results in malware infecting your dealership’s computer network.
Phishing attacks are a kind of social engineering – convincing people to behave in a particular way. And social engineering is far and away the greatest threat to the security of computer networks. Social engineering attacks account for 70 – 90% of all computer attacks. Unpatched software is the next most common threat, at 20% or more. Your IT manager can handle the unpatched software issue, but you can do something about phishing. Let’s discuss how.
How to Recognize a Phishing Email
The first thing you need to do is recognize a phishing attack when it appears in your inbox. Everyone’s heard about the Nigerian Prince email scam, which has been around for well over a decade. Despite being obviously phony, as recently as 2019 Americans reported losing over $700,000 to this scam, and most current phishing attacks are far more sophisticated.
Phishing emails (and text messages) are designed to look like they came from sources you know and trust. I’ve gotten emails from the Bank of America that look like the real thing. Unfortunately for the phisher, I don’t have an account with the Bank of America.
How can you tell a phishing message from the real thing? If any of these features are present, ask your IT manager to check it out or just delete the message:
Does it come from a source you don’t know or a company you don’t do business with?
Is the greeting impersonal? If the source is legit, it’s unlikely to greet you as “Dear Friend.”
Does it ask for account or password information?
Are you invited to click on a link?
Does it ask you to make a payment?
Does it suggest a potential windfall, such as proceeds from a class action lawsuit or a government refund?
Does it offer you free stuff or anything else that your gut tells you is too good to be true?
Here’s an example of a phishing attack provided by the Federal Trade Commission:
Looks legit, right? Netflix is, after all, a real company, and that is its logo. But let’s look closer.
The email has a generic greeting – “Hi Dear.” Sounds, well, fishy.
The email invites you to click on a link.
The email spells “center” with an "r-e" instead of "e-r" at the end – that’s not common American usage.
If you hover your cursor over the Update Account Now link, you’d see that the URL is not connected to Netflix.
What should you do if you suspect a phishing attack?
The first thing to do is bring it to the attention of your dealership’s IT manager. But not all dealerships have an in-house IT professional, so you may need to noodle this out on your own.
Ask yourself if you have an account with the company or know the person that contacted you? If the answer is yes and you suspect a phishing attack, contact the company or person and ask if the message is real. But don’t use a number or email address contained in the message.
If the answer is no, delete the message. Do not respond to it, do not divulge any personal, account, or password information, and do NOT click on any links! Doing that could result in malware being installed on your dealership’s network.
Social engineering attacks such as phishing are the biggest piece of the computer attack pie, and they’re the piece you can prevent. Stay alert, stay suspicious, and when in doubt – throw it out.
If you’d like more tips on how your dealership can prevent phishing and other computer network attacks, or if you need to train your employees to identify and avoid phishing attacks, contact Mosaic Compliance Service today.