5 Ways to Prevent Phishing Attacks

When it Comes to Phishing, Don’t Take the Bait

It’s 4:54 pm on a Friday and you get an email from IT: “Download this critical security update ASAP!” You leave the office that day feeling lucky you caught it in time.

You come to work on Monday to discover there’s been a serious data breach. Someone downloaded malicious software, or malware, to their work computer allowing cyber criminals to steal sensitive customer information.

What happened? You got phished.

Phishing is a type of cyber attack that exploits human behavior to gain access to personal information or get you to install malware on your computer. Phishing messages often look like they’re coming from a trusted source—like your bank or someone you work with—and they usually create a sense of urgency so that you act quickly, without thinking.

Luckily, phishing scams only work if you fall for them. The power is in your hands; follow the five tips below to keep you and your business protected.

Did you know?

Since 2019, phishing attacks have increased more than 150%! In 2024, phishing was the second most common cause of data breaches and the most expensive averaging $4.91 million in breach-related costs.

1. Slow Down and Stay Suspicious

Does your accountant email you asking for the digits to your company Mastercard? Does your bank ever reach out to you because they forgot your login and password? Does a new acquaintance on Linkedin typically ask for a business loan? The answer to all of these questions is no, they do not.

Phishing attacks work because we don’t stop to think about what we’re doing. The best way to prevent them? Slow down and keep a healthy level of skepticism. If you get an email, text, or social media message and something doesn’t seem quite right, don’t reply immediately.

2. Check That Things are What They Seem

By resisting the urge to respond immediately, you’ve taken away the scammer's biggest asset: the sense of urgency. The next step is to dig a little deeper and see if the message is real. How do you do that? Here are a few suggestions:

Check the sender’s email address or social media profile: Phishers often use email addresses that look similar to legitimate ones but have slight misspellings or extra characters. Similarly, social media usernames may look off and their profiles may be incomplete, have few followers, and little engagement (likes and comments).

Hover over links before clicking: Hover your mouse over links to see the actual URL before clicking. Ensure it matches the legitimate website's address. For example, if the email is supposedly from your bank, go to your bank's website directly to check the URL.

Look for red flags: Phishing scam artists will try to create a sense of urgency or fear. Also, messages may contain spelling mistakes, poor grammar, or awkward phrasing.

3. Don’t Download Attachments from Unknown Sources

If you get an email or direct message and you’re not sure about the sender, don’t click on any attachments. Getting you to download files is a great way for criminals to spread malware, and it’s not worth taking the risk.

If an email from a known contact contains an unexpected attachment, verify its legitimacy before opening it by calling or emailing that contact directly.

4. Use Security Software

Phishing often involves spamming thousands of people with emails in the hopes that one or two will fall for the trick. Antivirus software can help detect and block malicious emails and attachments.

5. Report Suspicious Messages

Phishing works by manipulating our emotions, and one of those emotions is shame. Many people who are victims of phishing attacks never report the crime to authorities because they feel foolish for getting tricked. But this behavior plays right into cyber criminals’ hands. If you get scammed, or even if you get a suspicious message, report it straight away.

To IT: Report suspicious work emails to your IT or security team.

To your email provider: If you receive a phishing email to your personal email address, report it to your provider using their built-in reporting features.

To your social media platform: Similarly, if you receive a suspicious direct message, flag it.

To organizations: If the email supposedly came from your bank or other trusted company, contact those organizations directly to let them know.

To authorities: If you fall victim to a phishing attack and are facing financial loss, identity theft, threats, or suspect organized criminal activity, report it to the police as soon as possible. It may be part of a larger attack!

Now you have the information to recognize phishing scams and stop them in their tracks. Please share these insights with your team to help everyone stay secure!