With the influx of new phishing campaigns and perfected social engineering tactics, it’s important to click wisely. A general rule of thumb to follow is to only click links that originate from either a trusted sender or domain name. Emails that contain malicious links are one of the most effective methods of delivering scams and malware. Clicking unsafe links or downloading attachments of unknown origin can lead to the inadvertent execution of malware on your machine, and what’s worse is that it may not be abundantly clear when it happens. The infection will fester and if you’re within a networked environment, like your workplace, you can wind up infecting your entire company before you know it. Not only are hackers interested in the proliferation of malware, but they would love to exfiltrate personal or company data. To avoid having any of this happen, there are a few simple clicking (or not clicking) practices that can be used to protect yourself.
Photo Credit: © panandrii - stock.adobe.com
One of the best defenses against clicking on something potentially dangerous, is to simply hover over the hyperlinks in question prior to clicking. If you find yourself questioning a link found within an email, hovering over the link will reveal the URL that it actually points to. Another tactic that attackers will utilize is to shorten URLs to obfuscate where a link actually points. There are a number of useful browser extensions that can expand shortened URLs. It is important to note that, while hovering over links contained in an email is typically a safe practice, there is a type of malware that is downloaded when a mouse hovers over a link placed in a PowerPoint slide. Hovering triggers a malicious PowerShell script to run immediately.
HOW TO KNOW WHAT'S "SAFE"?
Rather than navigating to links haphazardly, it’s best to examine the URL of sites in the browser address bar. Is there an HTTP or HTTPS at the front of the address? Google Chrome now identifies every site as either secure with HTTPS or not secure with HTTP. While this helps a bit to distinguish between whether your data in transit is encrypted or not, HTTPS doesn’t necessarily guarantee the legitimacy or safety of a site itself. If you want to take safe browsing a step further, you can check if the site you’re about to navigate to has hosted malware in the last 90 days by typing https://google.com/safebrowsing/diagnostic?site= followed by the site name.
Another very popular vector for delivering digital threats is with Microsoft Word documents. Perhaps less glaringly obvious of a phishing attempt, word documents may lend a sense of legitimacy to a suspicious looking email, especially while you’re at work. If a victim opens an email, downloads an attached word document that happens to be malicious and allows a macro to run, their machine will likely become infected. Attackers may even dupe users into thinking malicious word documents are safe by adding language like ‘This document is protected.’ Then the user is prompted to click in order to enable editing and the malware will execute.
Clicking can ultimately be very dangerous, but looking out for telltale signs can help in identifying links that shouldn’t be clicked and email attachments to avoid opening. Cybersecurity awareness training can help you protect yourself and your employees from phishing or exposure to cyber threats. Enforce your cybersecurity program with Align CybersecurityTM which offers fully automated mock phishing exams with customizable attack vectors.