Imagine you receive a text from the CEO asking for your help. They're visiting customers, but someone forgot to provide gift cards for these visits. So the CEO needs you to buy six $200 gift cards and text the information.
Would this kind of request make you pause and wonder? Or would you quickly pull out your credit card to do as the message asked?
A surprising number of employees fall for this gift card scam and others.
This scam can come by text message or via email. In these cases, the unsuspecting employee buys the gift cards, sends the gift card information to the contact number, and then discovers that the messenger is not the actual company CEO.
Instead, it was a phishing scammer.
Without proper training, 32.4% of employees are prone to fall for a phishing scam.
For over 25 years, WEBIT Services has helped clients discover and apply effective security practices. It is passionate about knowledge, education, and online safety.
By reading this article, you will learn why users fall for phishing and smishing scams and three tips to help prevent this.
Why do users fall for phishing and smishing scams?
Hackers use social engineering tactics in phishing and smishing (text message-based phishing) scams. They manipulate emotions to get the employee to follow through on the request.
The request may be for money or security information like login credentials. Giving up login credentials or confidential information can lead to more severe cybersecurity breaches and attacks.
Cybercriminals will use social engineering tactics to manipulate their victims and illicit the following responses:
- The employee is afraid of not doing what a superior asks them to do
- The employee jumps at the chance to save the day
- The employee doesn't want to let their company down
- The employee may feel they can advance in their career by helping
The scam's message is also crafted to get the employee to act without thinking or verifying the source or instructions. It includes a sense of urgency.
For example, the CEO needs the gift card details right away. Also, the message notes that the CEO will be out of touch for the next few hours. This decreases the chance the employee will try to contact the real CEO to check the validity of the text.
3 Tips for Avoiding Costly Phishing Scams
1. Always verify unusual requests
If you receive any unusual requests or one relating to money, verify them. Contact the person through other means to ensure the request is legitimate.
Despite what a message might say about being unreachable, always verify the instructions and sender in person or by phone.
If a colleague confirms that they made the request, you may carry on.
However, if a colleague did not make the request, you likely saved yourself money and spared your company from a security breach.
2. Objectively review the message
Don't react emotionally. Before you act on the request, ask if the message seems authentic or if something about it is out of the ordinary.
Scammers often try to get victims to act before they have time to think. So before you respond to a strange or urgent message, take a few minutes to look at it objectively. Often, this is all you need to realize it's a scam.
3. Get a second opinion or report it
Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error. Ask your colleague or IT service provider to review the message.
If the suspicious message is an email, you can report it using a phishing report program like Ironscales. Simply click the "Report Phishing" button in your email. The program will examine the message. If it's a phishing message, it will be purged from all inboxes within your network.
If the message is authentic, the program will let you know that the email is harmless.
Next steps to prevent successful phishing and smishing scams
Users may fall for phishing or smishing scams due to the message's urgency and heightened emotions.
To help prevent successful phishing and smishing scams, train employees to follow three tips:
- Always verify unusual requests
- Objectively review the message
- Get a second opinion or report it
If you have additional questions about email and texting security practices, talk to your IT provider or internal IT team. They can educate employees or help create procedures to help keep your company devices and data safe.
If your company email system does not have a spam filter or phishing report program, talk to your IT provider or team about this. Spam filters and phishing tools can save time and protect your data.
WEBIT Services has educated clients in cybersecurity and has helped clients establish effective security procedures.
If you are looking for a new IT provider, schedule a free 30-minute consultation to see how WEBIT Services can help.
If you aren't ready to make a commitment but would like to learn more about the dangers of cybercrime, we recommend the following articles:
