A business guide to preventing, detecting, and responding to phishing attacks

Phishing attacks are becoming increasingly prevalent: 2016 saw more phishing attacks than any previous year on record according to the Anti-Phishing Working Group. At the same time, there is a growing level of sophistication of cybercriminals. This handout is available from the Department of Homeland Security’s Stop.Think.Connect campaign to help the American public be safe and more secure online.

Phishing attacks use email or malicious websites to infect your machine with malware and viruses to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computer with viruses or malware, creating vulnerability to attacks. Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information like account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, attackers use it to access their accounts.

Phishing examples

The following messages, from the Federal Trade Commission’s OnGuardOnline website, are examples of what attackers may email or text when phishing for sensitive information:

  • “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
  • “During our regular verification of accounts, we could not verify your information. Please click here to update and verify your information.”
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

To see examples of actual phishing emails, and steps to take if you believe you received a phishing email, please visit www.irs.gov/uac/report-phishing.

Tips to prevent phishing

When in doubt, throw it out. Links in email and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it is best to delete or, if appropriate, mark it as “junk email.” You may want to check with management and follow any company guidelines in place to protect against phishing attempts. You can also contact the company directly (via phone) to find out if the email is legitimate. Other tips to prevent phishing attacks include:

  • Think before you act: Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information.
  • Use stronger authentication: Always opt to enable stronger authentication when available, especially for accounts with sensitive information including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username. Visit www.lockdownyourlogin.com for more information on stronger authentication.
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Install and update anti-virus software. Make sure all of your computers are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
  • Be wary of hyperlinks: Avoid clicking on hyperlinks in emails. Type the full website address directly into the address bar instead. If you choose to click on a link, ensure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.
  • Advise consumers who have fallen victim to a phishing attack to change their passwords and report the attack to reportphishing@antiphishing.org. Also, forward phishing emails to the company, bank, or organization impersonated in the email.
  • Report phishing attacks to the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), at http://www.ic3.gov/default.aspx.

To learn more about Hanover Risk Solutions, visit hanoverrisksolutions.com

Copyright ©2019, ISO Services Properties, Inc.

The recommendation(s), advice and contents of this material are provided for informational purposes only and do not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations or advice contained herein will make any premises, property or operation safe or in compliance with any law or regulation. Under no circumstances should this material or your acceptance of any recommendations or advice contained herein be construed as establishing the existence or availability of any insurance coverage with The Hanover. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC FEB 2019 10-185H
171-0914 (1/19)