Morrison Cohen Cyber Watch Series: Top Tips to Avoid Getting Hooked by Phishing Threats

Technology, Data & IP Partners Jessica L. Lipson and Fred H. Perkins, Associates Tess Bonoli and Allison O’Hara and Chief Information Security Officer Thomas Catenaccio published a third Client Alert in their series on navigating the cyber landscape safely. In “Top Tips to Avoid Getting Hooked by Phishing Threats,” the authors discuss recent phishing trends, such as diverting transfers of funds, spoofing, posing as a creditor/collections agency, pig butchering and compromising multifactor authentication methods, and highlight how these attacks can be identified.

While new technologies such as generative artificial intelligence (AI) have made phishing attacks increasingly more convincing, there are still often perceptible signs that such communications may be a scam, such as:

• Sense of urgency/emergency, and tight deadlines to take action.
• Unexpected email requests containing links or attachments.
• Promises to return high profits in a short period of time.
• Threats of criminal charges, if action is not taken.
• Requests for financial account information.
• Vagueness/lack of details relating to investment vehicles or purported debts.
• Requests that the recipient click on links or download files.
• Refusal to provide a mailing address, verifiable physical address, or phone number (e.g., an email that does not provide any other methods of contacting the sender).
• Phone numbers or email addresses which are unknown, or which appear similar (though not identical) to known senders, but include variations in the domain (e.g., @Amaz0n.com).
• Changes/updates to previously-issued wire or escrow instructions.
• Textual clues, such as: display names that don’t match the reply-to email address; grammar, punctuation or spelling errors; inconsistencies in the appearance of logos, fonts, and other branding elements that do not match official communications; and generic greetings like “Dear User”.

Businesses may be well advised to establish, implement and frequently update their policies and procedures relating to transfers of assets and electronic communications to better arm against phishing threats. Some strategies may include: 

• Examine all communications carefully for signs of phishing scams.
• Conduct regular simulated phishing exercises to familiarize your employees to the risks of phishing, and how to detect them.
• Establish clear policies for employees to follow if phishing attacks are suspected.
• Consider cyber insurance with coverage limits appropriate to the company’s business and data processing activities.
• Consider password managers and passkeys, and avoid using the same password for multiple accounts.
• Require high complexity passwords, and multi-factor authentication for any sensitive systems (e.g., access to financial data).
• Activate already-existing multi-factor functionality offered by financial institutions and service providers.
• Select and retain personnel, technology and service providers with adequate experience and skill to help your business minimize and detect threats (including technology advisors).
• Establish, maintain, and routinely update (1) incident response plans, and (2) protocols for financial transactions, and train personnel with respect to same.
• Implement robust email filters to automatically detect and block phishing emails containing suspicious content, links, or attachments.
• Ensure spam filters are properly configured to move potentially harmful emails into quarantine or the spam folder.
• Encourage users to report phishing emails through a designated button or process, enabling immediate investigation and blocking of threats.
• Install and regularly update anti-malware and anti-virus software.
• Utilize tools that scan email links in real-time to detect and block access to malicious websites.
• Continuously monitor for unusual activity that may indicate phishing attempts or compromised accounts.

In the event of a phishing attack on your business, our Technology, Data & IP team is available to answer your questions and provide guidance regarding next steps, including advice as to potential claims or remedies that may be considered to try to redress the fraud perpetrated against your business.

To learn more about how to avoid phishing threats, read our Client Alert below.