A CEO’s Guide to Preventing & Recovering from Phishing Scams

Editor's note: This post was originally published on May 29, 2018 and has been revised for clarity and comprehensiveness.

Do you want security software to protect your business from phishing scams? Will that be enough?

The truth is, even the best tools can’t prevent human error. That’s why you must build phishing awareness in your company.

At Intelligent Technical Solutions (ITS), we help businesses stay secure, productive, and compliant through security services, managed IT, and IT consulting. Our team empowers small and mid-sized organizations to navigate cyber threats, and we want to prevent you from falling for them.

In this article, we’ll explain: 

• What is phishing?  
• What are the common signs of phishing?  
• What do you do if your team falls for phishing?  
• How can you prevent phishing attacks? 

By the end of this article, you’ll have the information you need to protect your company from phishing attacks.   

What is phishing?  

Phishing is a cyberattack where a scammer impersonates a legitimate source – like your bank, cloud software vendor, or even your coworker — to trick you into revealing sensitive information.  

These attacks are usually carried out via email but can also happen through phone calls (vishing), text messages (smishing), or even fake websites. 

Employees may unknowingly expose your business to major risks because of phishing, without knowing they’ve done anything wrong. 

READ: 6 Most Dangerous Types of Phishing Scams to Watch Out for  

What are the common signs of phishing?  

Have you ever said, “I’d never fall for that!” after seeing someone (in your life or on the news) fall victim to a scam?  

Never say never. It only takes one inattentive moment to leak information. Here are some signs of phishing to drill into your team and lessen the likelihood of successful phishing attempts.  

1. Suspicious sources  

Phishing attacks always come from sketchy sources masquerading as credible. Email phishing attempts, for example, often use slightly off email addresses — like support@micr0soft.com or john.doe@yourcomapny.com. Smishing attempts will hijack companies’ official text threads on your phone.  

A glance might not catch the misspelling or ping it as a strange message.   

2. Generic greetings  

Emails, texts, or calls that start with “Dear Customer” or “Valued User” instead of your name are often mass phishing campaigns.  

Be wary – just because someone uses your name doesn’t mean they’re legitimate. Due to the mass selling of data and freely given online information, it’s easier than ever for phishing attempts to find your personal details.   

3. Urgency or fear tactics  

Phrases like “Your account will be locked in 30 minutes” or “Last chance to claim your refund” are designed to rush your judgment and get information quickly.

Never trust messages like this before verifying them. If there’s a possibility the information is true, call or email the person/company through official channels.   

4. Unusual links or attachments  

Don’t click if the URL looks strange or doesn’t match the sender’s domain.

Even if it is from a trusted source, if the linked page asks for credit card details, approval for a downloadable program, or your Social Security number to save puppies from drowning right this instant, do not immediately believe it. Contact the organization or person from a verified number or website first. 

Attachments with unfamiliar extensions like .exe or .scr are another red flag. Do not download these programs as they’re commonly malware.   

5. Unexpected requests for sensitive information  

No legitimate company will ask you to confirm your birthday, login credentials, or banking details over email. Or if they do ask for documents over email, it should be after you call them to process a request.