Credit: Thinkstock High-profile hacking attacks might dominate the headlines, but one of the biggest risks to your security isn’t software vulnerabilities or malware—it’s phishing attacks. There were more than 1.2 million phishing attacks last year alone, up 65 percent over 2015, according to the Anti-Phishing Working Group (APWG).+ Also on Network World: 25% to 30% of users struggle with identifying phishing threats, study says +Phishing attacks usually come in the form of a fake email that appears to be from a legitimate source, such as your bank, employer or a website you use frequently. The idea is to get you to hand over the keys to your accounts by prompting you to type your login details and password into a fake website front. Victims click the link in an email and get taken to a website that looks just like the real thing, but in reality, it has been created to steal information.Because phishing attacks target people using sophisticated techniques designed to fool, no business is immune to them. Remember, your cybersecurity is only as strong as the weakest link—your employees. Let’s run through a few important rules that will safeguard you and your business from phishing attacks.1. Verify requests for sensitive dataIf you get an email request for sensitive data, don’t immediately tap reply and hand away access to your account. Make sure it really is a legitimate request from Sharon in accounting or that your supplier needs updated bank details. A quick phone call can save you from a serious data breach. If you insist on emailing, then don’t reply, type the email address in yourself or use your address book. 2. Type URLs or use your own bookmarksPhishing scams often come in the form of links in emails that appear to be sent from people you know and trust. What looks like another funny cat video from the office joker may, in fact, be directing you to unknowingly download malware. Sometimes the email will be a request to update your login details with a link to what appears to be a legitimate company website. You can avoid this kind of scam by always typing the URL into the address bar of your browser yourself or using your own bookmark if you have one. Never click on links in emails.3. Monitor company account accessThe IT department should be keeping an eye on company account access. Make sure old accounts are deleted and permissions are appropriate. It’s a good idea to employ tools that analyze user behavior and flag any suspicious logins or data requests. 4. Be careful about opening attachmentsIf you don’t recognize who an email is from, then don’t open any attachments. They can contain malware that will install itself. Even if you do recognize the sender, it’s worth subjecting the email to greater scrutiny if it has an attachment. You should have security in place that automatically scans and removes suspicious attachments.5. Make sure websites are secureCheck that any secure websites you visit really are secure before you submit any sensitive data. Take a look in the address bar of your browser; you should see “https://” at the start instead of “http://”, where the S stands for security. There should also be a lock icon that you can hover over to see the level of encryption.6. Keep security software on and up to dateAny request to disable your firewall or antivirus defenses should be treated with serious skepticism. Security software should be running at all times and be kept fully updated. Make sure you comply with the IT department’s requests and never disable your security software.7. Report suspicious emailsIf you do get something that looks like a phishing attack, report it. You can forward emails to your security officer or IT department. Many companies and services also have email addresses specifically for suspected phishing emails, and they’ll confirm whether an email is legitimate or not. You can also file complaints at the Federal Bureau of Investigation Internet Crime Complaint Center. If in doubt, it’s always best to ask your IT department.Make sure you and your employees are familiar with these tips, and you can avoid being hooked by phishing scams.Note: Special thanks to my partner Sophos for help in producing this article. The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe