None of us are exempt. As I was writing this article, I got spoofed. Here’s what spoofing really looks like. In my case, the cybercriminal sent an email posing as my boss, but used a different URL, so while it looked like the email was from my boss, it actually wasn’t.
Email spoofing happens when a cybercriminal disguises an email address, sender name, phone number, or URL to convince you that you are interacting with a known, familiar, or credible contact. The attacker wants to engage you and make you believe the communication is real, so you will send them money, disclose sensitive financial or personal data, or trick you into downloading malware.
Employees will make mistakes. Our lack of attention, feeling rushed or wanting to please without hesitation, and our noncompliance with policies and procedures - are all pathways to your company’s online exposure.
The best way to protect yourself against spoofing is by paying attention to the signs of an attack:
Examine the email address, URL, and spelling in the email to look for slight discrepancies – ask yourself – does this pass the smell test?
Hover your cursor over the IP address to confirm the email is legitimately from a credible or familiar source.
Never click unsolicited links or download unexpected attachments.
Walk down the hall or pick up the phone to confirm a colleague’s unexpected request, and never respond unless you are absolutely certain.
Hang up and contact the company or person directly when solicited unexpectedly by a customer service representative via phone or email.
Always log into your account through a new browser tab or official app — not a link from an email or text.
Only access URLs that begin with HTTPS.
Never share personal information, such as identification numbers, account numbers, or passwords, via text or email.
Use a spam filter to prevent many spoofed emails from reaching your inbox.
Enable two-factor authentication whenever possible, which makes it more difficult for attackers to exploit you and your employees.
Talk to your phone company about call-blocking tools and check into apps that you can download to your mobile device (for example, Hiya).
Invest in cybersecurity insurance, to provide protection if you fall victim to a damaging attack.