A business guide to preventing, detecting, and responding to phishing attacks

Phishing attacks are becoming increasingly prevalent: 2016 saw more phishing attacks than any previous year on record according to the Anti-Phishing Working Group. At the same time, there is a growing level of sophistication of cybercriminals. This handout is available from the Department of Homeland Security's Stop.Think.Connect campaign to help the American public be safe and more secure online.

Phishing attacks use email or malicious websites to infect your machine with malware and viruses to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computer with viruses or malware, creating vulnerability to attacks. Phishing emails may appear to come from a real financial institution, eCommerce site, government agency, or any other service, business, or individual. The email may also request personal information like account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, attackers use it to access their accounts.

Phishing examples

The following messages, from the Federal Trade Commission's OnGuardOnline website, are examples of what attackers may email or text when phishing for sensitive information:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • "During our regular verification of accounts, we could not verify your information. Please click here to update and verify your information."
  • "Our records indicate that your account was overcharged. You must call us within seven days to receive your refund."

To see examples of actual phishing emails, and steps to take if you believe you received a phishing email, please visit the IRS webpage for reporting phishing attacks. .

Tips to prevent phishing

When in doubt, throw it out. Links in email and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it is best to delete or, if appropriate, mark it as "junk email." You may want to check with management and follow any company guidelines in place to protect against phishing attempts. You can also contact the company directly (via phone) to find out if the email is legitimate. Other tips to prevent phishing attacks include:

  • Think before you act: Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information.
  • Use stronger authentication: Always opt to enable stronger authentication when available, especially for accounts with sensitive information including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username. 
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Install and update anti-virus software. Make sure all of your computers are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.     
  • Be wary of hyperlinks: Avoid clicking on hyperlinks in emails. Type the full website address directly into the address bar instead. If you choose to click on a link, ensure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.
  • Advise consumers who have fallen victim to a phishing attack to change their passwords and report the attack to Also, forward phishing emails to the company, bank, or organization impersonated in the email.
  • Report phishing attacks to the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

Copyright ©2019, ISO Services Properties, Inc.

This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC FEB 2019 10-185H
171-0914 (1/19)