How Not To Get Hooked By Phishing
Phishing is a form of social engineering where cyber criminals will attempt to steal sensitive data such as usernames, passwords or credit card details. Often they are especially interested in you giving them access to your computer unwittingly. This enables them to steal your data at their leisure. They achieve this by disguising themselves as a trustworthy party in an email, on social media, text messages or by phone. Phishing attacks can be highly sophisticated encouraging the user to open a malicious file or link. This can result in either Malware being downloaded to a digital device or being sent to a spoofed website that collects sensitive data. From this the attacker can extract the data required to execute a successful attack.
Phishing can have devastating consequences such as reputational damage, loss of custom, loss of money, business disruption and data breaches. These threats are on the rise because they can be extremely profitable.
How Can The Cyber Criminals Get You Hooked?
There are a few Phishing techniques cyber criminals can use to convince you to take the bait. For the moment let’s focus on the classic campaigns used.
Email Phishing Scams
Phishing is a game of numbers. A cyber criminal will send a batch of thousands of fraudulent emails that mimic those sent by genuine organisations. An attack may happen in the following way:
- The hacker will send an email from a seemingly legitimate source such as PayPal or Netflix
- The email will create a sense of urgency such as your account has been compromised
- A link will offer you the chance to update your password or sensitive data
- The hacker is then able to collect your data or gain access to your computer, acquiring more account details and access to resources
Spear Phishing is an attack where the cyber criminal targets a specific person or organisation instead of trying his luck with multiple fraudulent emails. For this version of phishing to work the attacker requires in depth information on your organisation and its hierarchy. An attack may happen in the following way:
- The hacker will identify and research a potential victim or organisation
- The hacker will send a targeted email to the victim that seems to be from a legitimate source such as a trusted colleague
- The victim will open the fake email that contains either a malicious attachment or link asking for the user to provide sensitive data
- A back door is then created, or malware deployed allowing access to your computer or sensitive data being collected and transferred to the attacker
How Can You Prevent Phishing Attacks?
To prevent the risk a Phishing attack taking hold of your business follow this multi layered security approach to help you stay secure:
- Understand the risks
- Develop adequate policies
- Keep systems up-to-date
- Backup your data
- Deploy anti-phishing solutions
- Implement best practices for user behaviour
- Use robust threat intelligence
Also share these helpful tips with your users to help them keep security top of mind as your last line in defence against Phishing attacks:
- Keep up-to-date about current phishing techniques
- Think before you click
- Install an anti-phishing toolbar
- Verify a site’s security
- Check your online accounts regularly
- Keep your browser up-to-date
- Use firewalls
- Be wary of pop-ups
- Never share personal information
- Use antivirus software
You can spot a Phishing attack by keeping an eye out for:
- Spelling and grammar errors
- Checking sender addresses
- Does it sound too good to be true?
- Be aware of unsolicited messages that contain attachments, links or login pages
One of the best ways to make sure company employees will not make costly errors with information security is to implement a company-wide security-awareness training campaign. NCI Technologies offers the best-in-class simulated Phishing attack training for businesses. This training is delivered through an automated email campaign that uses email templates of real-world attacks. It is completely safe and will highlight who is susceptible to Phishing and can auto enrol those users in more targeted security awareness training.
In this blog we have only discussed Email Phishing and Spear Phishing. So, stay tuned for further blogs where we investigate the other variant Phishing campaigns to keep a watchful eye out for.