HR Jetpack

Best Practices

This video is premium content

Register or sign in to gain access.


Best Practices

Lesson Content

Phishing works because people believe the messages they receive. According to security firm FireEye, people open just 3 percent of spam email, yet they open 70 percent of phishing emails. And 50 percent of people will click on the link; generally within just 1 hour from the time they receive the email. This underscores the sense of urgency people feel to act upon these messages because they can be very alarming and give you the sense you need to act before you get a chance to think about the legitimacy of the email.

The first thing to consider when you receive any message is to question whether or not you requested the service being offered. Another friend of mine in HR shared with me one attacker’s attempt to send her emails that appeared to be from FedEx. However, she and her colleagues knew that no one in their HR department ordered anything that needed delivery. If you didn’t prompt an app or website to reset your password, then it is ok to be suspicious if you suddenly get an email requesting you confirm your login information, or reset your account details. Even more importantly you should never have to follow the link from an email you did not request in order to change your password or login information. If you are ever concerned, go directly through the company in question. You don’t need to take the link you were offered.

The next factor to consider is the URL. When you hover your mouse over a button or text link, the URL’s destination will appear in the bottom left of most browsers. If you can’t make sense of where that link is about to take you, then just don’t click on it. The most important factor is to check the domain to make sure it is properly spelled. Phishing campaigns often use domains which are close to, but not quite, the real deal. Such as “Google” with 3 O’s or other easy to miss variations of brands you see every day.

In addition to trying to make sense of the URL, it is important to be on the lookout for URL shortening services. and many other services will condense a URL into a shorter string of characters to help with character length requirements on services like Twitter. The problem with these links is that they completely obfuscate the destination you are going to be sent to. Once again, if you aren’t confident you understand where a link is going to take you, then try to find a safer way of getting to the information you are looking for.

You also should be careful about phishing over SMS text messages. Would you click on a link in a text message? Unfortunately, many people do. Attackers target mobile users with warnings about their online banking or wireless provider. Mobile users tend to have less context, smaller screens, and overall less of an ability to tell if a site they go to is genuine. Usually the best thing you can do is to wait until you can use a computer and go through your account as usual.

Finally, we come back to two factor authentication. Phishing happens all the time, and there is no better form of protection than a second layer of security provided by your phone. Social engineering works because we are human, and we make mistakes. Even if an attacker gets your password, they should not be able to access your accounts and devices.

Michael Wilson


Michael Wilson

Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training,...

Michael's Full Bio