Preventing, detecting and responding to phishing attacks

How to avoid phishing attacks

Phishing is criminal activity where cybercriminals target organizations and individuals through emails, phone calls and text messages. Their communications appear to be legitimate and trusted sources in emails and phone calls. Once cybercriminals gain your trust, they will then solicit your sensitive information, such as passwords, social security numbers and financial information. They will then use that information to engage in identity theft for monetary gain at your expense.

Recognizing phishing scams

Cybercriminals will use various phishing scams to try to trick you. They will try to convince you that something urgent is needed, that there is a great deal that you cannot pass up, or that you’ve won a lucrative prize. They may often put time limits on the so-called deals, or their need for urgent information, to get you to act quickly without fully questioning them.

Phishing scams include many different tactics. They may provide threats of suspending or terminating important accounts. They may threaten you that immediate harm may come to you or a family member if you do not provide the information they request or the payment that they need.

Cybercriminals will also work to gain your trust. Their phishing emails will often have what look to be legitimate links to trusted websites. However, if you hover over the link without clicking, this will show the actual URL address where you would be directed to upon clicking the link. Many times, this will be an invalid website where they will try to solicit personal and sensitive information. 

Phishing emails may also have attachments that contain malware or ransomware. It is important to never open attachments from an unexpected or unknown sender.   Phishing emails may also come from unusual senders, with grammatical errors and spelling errors in the subject line or in the body of the email. Do not click or open suspicious emails from unknown senders.

Phishing prevention tips

Remember that banking institutions and other legitimate companies will never ask for personal information through an email. Also, they will have appropriate identification measures in place and will not ask you to provide sensitive information over the phone. Never trust an unsolicited call or email, even if they claim to be from a trusted source. 

Never provide sensitive data over the phone from an unexpected call, even if the caller claims they are legitimate. Hang up and call your banking institution, or whatever organization they claim to be calling from, to verify the legitimacy of the call. Use phone numbers provided to you direct from the institution or company and not from an unknown email or phone call.

Use spam filters for your emails. Spam filters help determine the origin of the email and what type of software was used to send the message, which helps detect if it was a large, broadcast scam. Although spam filters may not always be accurate, they can help minimize unwanted and phishing emails.

Do not click on links and do not open any attachments in suspicious emails. Remember, legitimate companies rarely send emails with grammatical or spelling errors. They will not immediately suspend or terminate your account if you do not provide personal details within a set timeframe. Legitimate companies will also not have one-time deals or special offers that seem incredible, outrageous, and just “too good to be true.” Be wary of any special deals and the need for you to immediately divulge any sensitive information about yourself or your company.

Additional resources

Cybercriminals are always looking for new ways to scam people or organizations. Each day the news covers these scams and new ways that cybercriminals are working to get sensitive information. It is important to stay informed of the latest scams so that you and your company do not become a victim. 

Additional information and regular updates regarding phishing attacks can be found on the Department of Homeland Security, Cybersecurity & Infrastructure Security Agency web site:  Avoiding Social Engineering and Phishing Attacks | CISA.



This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation.  By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you.  The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC 2022-224