As we spend more and more time online, we are increasingly exposed to cyber-related threats – one of the most common being a social engineering technique called phishing. Incredibly, more than one in three Canadians have been subjected to a phishing attack and the financial losses from fraud, including online fraud from phishing attacks is estimated at over $330 Million this year alone.
Beyond the financial losses, phishing can result in:
- Loss of identity;
- Time, money and effort expended to rectify issues such as responding to and recovering affected devices;
- Loss of reputation; and
- Decreased sense of security and safety.
What is phishing?
It can take various forms, but phishing broadly refers to a situation when someone will call, text, email or connect with you through a social media platform with the intent of tricking you into:
- Clicking on a malicious link;
- Downloading malware to your device; or
- Sharing sensitive information.
Often, these phishing scams appear very legitimate and look as though they are coming from a trusted source such as a friend, a boss, a bank, a courier company or a government authority.
What can you do about it? Here are five things to know.
- Know that you are not defenceless.
There are immediate steps you can take to protect yourself and your family.
- Protect what is important.
The following advice will help ensure that scammers can’t get a hold of your personal information even if they get into your computer or device.
- Limit the amount of personal information you provide online.
- Ensure that you have security software installed on your computer.
- Keep sensitive information separate from other information and keep it encrypted (e.g. in a crypto-locker or on a separate device such as a USB stick or thumb drive that is password protected).
- Back up your critical data and software in another location such as on a separate hard drive that is not continuously connected to your computer, or in a secure cloud folder that is password protected.
- Know what phishing looks like.
Keep an eye out for any communications that may be ‘phishy.’ There are questions you should ask yourself when looking at incoming correspondence where you are being advised to do something:
- Does it come from someone or an organization that wouldn’t normally contact you that way?
- Does it look legitimate but perhaps doesn’t make sense? (For example: Would that company or person be asking you for that information at this time?)
- Does it ask to open an attachment?
- Does the email or phone number look authentic? (For example: Is the phone number listed under the name of that organization or person.)
- Does it imply a sense of urgency in responding? (For example: “Click this link or you’ll miss out on tremendous savings!”)
- Does it use threatening language? (For example: “Failure to respond will have you fined or arrested.”)
- Does it offer something that seems too good to be true? (For example: ”Fill out this form with your financial information and you will be eligible for an immediate $500 cash bonus sent directly to your account.”)
- If you think something is ‘phishy,’ do not respond.
Do not click on the link, do not download the file, do not call the number, and do not complete the form. Instead, find a way to determine if the correspondence is legitimate. For example, if it appears to be coming from an authoritative source such as your bank, the government or an organization or company you regularly have interactions with, look up the phone number from a credible source (do not use the number provided in the email or text), and ask an employee of that organization if they sent you anything.
- Report it to your local police and the Canadian Anti-Fraud Centre.
The best thing we can do to stop phishing and its potentially devastating impacts is to inform ourselves, take actions to protect our information and stay vigilant. Run through the five steps mentioned above any time you are unsure, and importantly, think before you click.
Randy Purse is Senior Cybersecurity Advisor, Corporate Training at Rogers Cybersecure Catalyst — Toronto Metropolitan University’s national centre for training, innovation and collaboration in cybersecurity.