Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, website links, or by phone. According to a recent study by SANS, 95% of all cyber-attacks on enterprise networks are the result of successful spear phishing (email aimed at employees at a particular company).

Phishing is typically carried out by email spoofing and it often directs users to enter personal information (like a password) at a fake website whose look and feel is almost identical to the legitimate one. Communications purporting to be from social websites, banks, online payment processors, or IT administrators (even disguised to look like it is coming from your own company!) are often used to lure victims. Phishing emails may contain links to websites or attachments that are infected with malware.

Employees can serve as a valuable active defense layer inside the organization. To protect yourself:
Never click on links inside an email unless you have called the person on the phone to verify that they intended to send that link to you.
Hover over the link to view the actual website address where the link will take you.
Look for misspells and grammatical errors as a clue that the company may not be legitimate (this doesn’t always work).
If you receive a suspicious email, do NOT click on any links or open any attachments. Call IT and the Security Officer to report the suspicious email.