Any time is a good time to talk about phishing, a hacker’s method of scamming unsuspecting users to provide their personal information under the pretense of being a known site. For individuals, the safest bet with banking or finance-related inquiries is to be “politely paranoid.”
"Trust but Verify"
When the unsolicited request to log in or “verify” personal details is from a known site (such as your bank or your favorite online merchant), do not click any of the embedded links. Instead, open a new web browser window and manually navigate to the site in question. Then, log in to your account from their home page. If everything works as planned, this is a good opportunity to update your account password. You may also go back to the nefarious email and flag it as spam.
When you receive an unsolicited email, from your bank, for example, asking you to click a link to “Log in” or to “Verify your account,” stop right there. Do not click any link from an email asking you to provide personal or financial information—even from an organization you have a relationship with.
“We’re in perpetual email autopilot—users trying to wade through the mountains of requests and each season’s finance-related communications,” observed Adam Fisk, TSP’s Director of IT Services. “At an average payout of $130,000 per exploit, hackers are hoping that their imposter bank notice will be one of those items that you click and don't think twice.”
Do Not Engage
In the event that an individual you know (such as a teammate, customer, or relative), emails you requesting login credentials or to send money or account information, a few quick verifications are in order. First, do a quick scan of the suspicious email to look for anything out of the ordinary. Misspelled words, grammatical errors, bad formatting, or strange URLs and email addresses (e.g.: www.micro-soft.xyz) are key indicators. (We discuss notable scams in our Grepcast from December 2018.)
If you don’t see any obvious red flags, hover your mouse over any buttons or links in the message to examine the link and see if it looks “phishy.” You can always forward a screenshot of a suspected email to your IT team or vendor to examine if you have any questions. Do not respond to or forward the suspicious email itself—keep it quarantined until advised otherwise.
It’s also wise to call the person the request is from to get a verbal confirmation that they emailed you at all. If they did (and if you are on the phone), give them the info during the call to keep it offline altogether. If you find that the request did not come from the person it claimed to be, it’s also important to contact the real sender so they know their account has been hacked.
When in doubt, call your vendor or IT team and find out how they want you to proceed. Some may want you to forward the message for their team to investigate; others will instruct you to mark as spam and delete with no further action.
For more on security, ask your current provider how they’re going to prevent IT issues, especially those that you see causing regular disruption to your business. Or contact TSP to learn more about our IT solutions.