How Not to Take the Bait When Phishing Happens
Oct. 1 marked the start of National Cybersecurity Awareness Month, an annual collaboration between government and industry to raise awareness about the importance of cybersecurity.
During the month, the Exchange’s IT directorate has been sending to the workforce a weekly email newsletter detailing a particular cybersecurity-related topic. The Exchange Post is also publishing stories about cybersecurity topics during October.
This week’s topic: Recognizing phishing
Phishing scams are online messages designed to look like they’re from a trusted source. They are usually emails that include a link, attachment or image that, if clicked on, can expose a user to malware or to a scammer looking for personal data.
And it’s all too easy to click on one of those links.
“I occasionally send out ‘phishing’ emails to test the workforce,” said Aaron Foechterle, Exchange data security analyst. “Some people just click on something endlessly but even the most diligent associates sometimes fall for it.”
Foechterle says that getting better at spotting phishing attempts includes:
Knowing the tactics phishers use: Phishing attempts often use a sense of urgency (such as telling you an account is locked and won’t be unlocked until you take action) or emotion; request financial or personal information; include unexpected attachments; have email addresses that don’t match the supposed sender; and, less commonly, include poor writing or frequent misspellings.
Resisting and reporting: If you suspect that an email is a phishing attempt, the Exchange Outlook email has a “Report Phishing” button in the upper right corner of when you open an email. You can also send emails to spamreporting@aafes.com.
Deleting: If you suspect phishing, don’t reply to the email or text or click any links. Just delete it (after reporting it).
If you receive an email you weren’t expecting, even if it looks legitimate, it’s a good idea to do a little research—if it comes from a company, look up the website and find its contact information. If it looks like it comes from someone you know, contact them at a known number to see if they sent the message.
And for associates who get a lot of email, Foechterle had another tip: slow down.
“You have two ends of the spectrum at the Exchange,” Foechterle said. “There are associates who work in a store who only open their email occasionally. Other people receive tons of emails every single day and just click through them. If you receive a lot of emails, you should take time to check for phishing indicators. Check the email address or the subject field or the spelling in the email.”
During an election year, use extra caution, Foechterle added.
“Phishers use a lot of different tactics,” Foechterle said. “For tax season, they have methods like requesting tax receipts or refunds. The same thing with political texts. There are people working under the guise of a campaign that will send a link saying, ‘Click here to donate.’ But if the money gets sent, it doesn’t go to the actual candidate—it gets sent to the scammer. So that’s something to be on the lookout for.”
In addition to the Exchange Post, follow @exchangeassoc on Facebook, Instagram and X for more info. Hashtags for the month are #CybersecurityAwarenessMonth and #SecureOurWorld.
Next: The role of artificial intelligence in social engineering
