If you spend any time at all using email, you’ve probably seen it—a legitimate-looking (or somewhat legitimate-looking) email from a person or company that may or may not be familiar to you.

It could be:

• A link
• An attachment
• A request for your financial or personal information

The email may make a strong argument for providing that information. It could threaten you with a fine, audit, or even arrest. It could be an enticement for a financial windfall. It could even be something as simple as a request to update or verify account settings. Yet, in nearly every case, responding as requested will lead to big trouble.

Phishing has been around for more than two decades, and despite repeated warnings through media and other channels, it remains disturbingly effective. You may think you're too wise to fall prey to a phishing scam, but according to the Federal Bureau of Investigation's 2022 Internet Crime Report, phishing and its variants resulted in 300,497 complaints with adjusted losses of over $52 million in the U.S.

At its core, phishing preys on human nature; we all make mistakes, we lead busy lives, and no one is immune from an occasional lapse in judgment or an honest oversight. Unfortunately, the bad guys are upping their game and becoming more sophisticated in their approach and execution. This makes it more difficult for people to decipher legitimate emails from phishing scams.

So, what should you do? We advise all of our clients to take widely accepted precautions such as:

• Using unique passwords
• Avoiding public Wi-Fi when accessing or sharing sensitive information
• Scanning regularly for viruses and malware

On top of that, we recommend that our clients adopt a 3-step approach to guide them in preventing phishing attacks and minimizing damage if they occur:

Step 1: Ask yourself, “Is this for me?”

Use judgment when privileged information is being requested. If you work in, say, the marketing department and a mysterious email asks you to review an attached resume, that's an unusual request that should immediately raise a red flag. Your validation process should start with questions that include:

• Should I be receiving this?
• Am I expecting it?
• Does it come through a standard chain of command or from a source I recognize?

If things don't feel right, proceed to step 2. 

Step 2: Ask others, “Are we expecting to receive this?”

Say you received this same email in question and suppose further that you work in human resources (HR). Questions to ask include:

• Am I expecting this resume?
• Is it standard operating procedure for me to receive it directly—or should it first go through other channels in the organization?

Instead of opening the attachment or clicking on the link, you should contact your supervisor and get verbal validation as to whether this is something you should have received in the first place. If your supervisor can't provide definitive verbal validation, contact your IT professionals immediately.

It's worth stressing: Verbal validation is absolutely critical. At Lutz Tech, we see too many cases where people's email accounts are compromised, and then hackers send phishing emails from those accounts. Such emails may seem legitimate since the senders' addresses are real. Worse still, if you were to reply to such an email and ask if the request is valid, the hacker who commandeered the account surely would reply that it is, setting the scene for disaster.

Step 3: Speak Up

Bad situations get much worse when they go unreported. Recently, our technology professionals saw a deviously clever phishing email that appeared at first glance to be from a company's IT department. In it, the respondent was asked to click on a link to reset their password. That link led to a phony company portal page where email credentials were requested.

If you fall victim to a scam like this, the amount of damage that can occur as a result could be significant. Yet, it grows exponentially if the incident goes unreported. By alerting the appropriate IT professionals early on, it's possible to mitigate the damage by:

• Changing credentials
• Tightening spam filters
• Implementing other controls to prevent these types of attacks in the future

Strengthen Your Digital Defenses with Lutz Tech

Protecting your business from cyber threats is not just a necessity—it's a strategic priority. A single phishing attack can lead to significant operational disruptions and long-lasting reputational damage. At Lutz Tech, our dedicated IT professionals are at the forefront of cybersecurity, constantly monitoring and adapting to the latest threats. Our technology strategy services help you safeguard your business, ensuring that your operations remain secure and resilient. Contact us today for expert guidance on strengthening your digital defenses.