• United States




7 steps to avoid getting hooked by phishing scams

Apr 11, 20174 mins
CybercrimeEndpoint ProtectionInternet Security

spearfishing trap
Credit: Thinkstock

High-profile hacking attacks might dominate the headlines, but one of the biggest risks to your security isn’t software vulnerabilities or malware—it’s phishing attacks. There were more than 1.2 million phishing attacks last year alone, up 65 percent over 2015, according to the Anti-Phishing Working Group (APWG).

+ Also on Network World: 25% to 30% of users struggle with identifying phishing threats, study says +

Phishing attacks usually come in the form of a fake email that appears to be from a legitimate source, such as your bank, employer or a website you use frequently. The idea is to get you to hand over the keys to your accounts by prompting you to type your login details and password into a fake website front. Victims click the link in an email and get taken to a website that looks just like the real thing, but in reality, it has been created to steal information.

Because phishing attacks target people using sophisticated techniques designed to fool, no business is immune to them. Remember, your cybersecurity is only as strong as the weakest link—your employees. Let’s run through a few important rules that will safeguard you and your business from phishing attacks.

1. Verify requests for sensitive data

If you get an email request for sensitive data, don’t immediately tap reply and hand away access to your account. Make sure it really is a legitimate request from Sharon in accounting or that your supplier needs updated bank details. A quick phone call can save you from a serious data breach. If you insist on emailing, then don’t reply, type the email address in yourself or use your address book.

2. Type URLs or use your own bookmarks

Phishing scams often come in the form of links in emails that appear to be sent from people you know and trust. What looks like another funny cat video from the office joker may, in fact, be directing you to unknowingly download malware. Sometimes the email will be a request to update your login details with a link to what appears to be a legitimate company website. You can avoid this kind of scam by always typing the URL into the address bar of your browser yourself or using your own bookmark if you have one. Never click on links in emails.

3. Monitor company account access

The IT department should be keeping an eye on company account access. Make sure old accounts are deleted and permissions are appropriate. It’s a good idea to employ tools that analyze user behavior and flag any suspicious logins or data requests.

4. Be careful about opening attachments

If you don’t recognize who an email is from, then don’t open any attachments. They can contain malware that will install itself. Even if you do recognize the sender, it’s worth subjecting the email to greater scrutiny if it has an attachment. You should have security in place that automatically scans and removes suspicious attachments.

5. Make sure websites are secure

Check that any secure websites you visit really are secure before you submit any sensitive data. Take a look in the address bar of your browser; you should see “https://” at the start instead of “http://”, where the S stands for security. There should also be a lock icon that you can hover over to see the level of encryption.

6. Keep security software on and up to date

Any request to disable your firewall or antivirus defenses should be treated with serious skepticism. Security software should be running at all times and be kept fully updated. Make sure you comply with the IT department’s requests and never disable your security software.

7. Report suspicious emails

If you do get something that looks like a phishing attack, report it. You can forward emails to your security officer or IT department. Many companies and services also have email addresses specifically for suspected phishing emails, and they’ll confirm whether an email is legitimate or not. You can also file complaints at the Federal Bureau of Investigation Internet Crime Complaint Center. If in doubt, it’s always best to ask your IT department.

Make sure you and your employees are familiar with these tips, and you can avoid being hooked by phishing scams.

Note: Special thanks to my partner Sophos for help in producing this article.  


The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author