Phishing-Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. (Wikipedia)
Phishing has become a reliable weapon in the cyber criminal’s arsenal. The intent is for the victim to click on a link and respond with personal information such as login credentials. The attackers email may lead them to a cloned portal to capture this information. The miscreants can craft malicious emails that can be personalized to targeting the user that may be high level personnel such as CISOs, CFOs, HR or board members. This form of attack is known as whaling.
Spear phishing attacks will target specific people in the organization like new hires, finance or security teams.
Cyber crooks are also finding ways to bypass two-factor authentication. They will use fake QR codes and clone one-time passwords. They may also use spoofing, to fool the victim into meeting a request for information or money that appears to come from a trusted supervisor or vendor.
There are secure email configurations that can be put in place but the greatest defense against phishing is to educate your workforce to recognize and report potential phishing campaigns. Some telltale signs of suspicious emails:
- Sense of Urgency- Act now! Don’t let this opportunity pass! Many times this urgent request is accompanied with a threat. Log in now to prevent your account from being deactivated!
- Too Good to Be True-Then it probably is. The message claims that you are a winner of cash or prizes and lucrative offers.
- Links and attachments-Be wary of opening files that you are not expecting. This can possibly contain malware. Likewise with links. The URL that it takes you to may be fake and will capture your credentials of deliver a malicious package.
- Unknown sender- If you receive an email from an unfamiliar sender and it seems out of the ordinary or suspicious, don’t click on it!
- Misspellings and spoofed sender-Check the sender’s email address, not just the name. For example, From:MOREnet Security security@morenet.net. Is that a valid domain for MOREnet Security? (Answer=no. We are security@more.net) Are there generic greetings, misspellings in the domain and/or message?
Remember, the criminals are getting better at crafting phishing attacks that are hard to identify. So always trust your instincts and if the email appears suspect, use other means to verify it’s authenticity. Using a web browser, log into the website in question to verify that this is a legitimate correspondence. Do not click on the link within the message as this is likely going to lead to a fake website. Call or visit personally with the business or person to verify the message request.
Conditioning employees to become aware of the potential dangers associated with phishing and how to recognize them can add to your overall security defenses. Turn your employees cybersecurity posture from fear to fierce!