Fight the Phish!
- Published: Tuesday, Oct. 12, 2021
October is cybersecurity awareness month. This week we will focus on phishing awareness. #BeCyberSmart
Phishing is one of the most prevalent social engineering attacks. The attacker is hoping to trick the recipient into taking an action that could lead to credential theft, money transfers, data breach or malware.
Did you know...
- 22 percent of data breaches involve phishing? (Verizon DBIR 2020)
- 75 percent of organizations around the world experienced a phishing attack in 2020? (Proofpoint)
- 96 percent of social engineering attacks are through email?
- 41.1 percent of targeted phishing attacks are directed at the education industry? (KnowBe4)
- Some popular subject lines in a phishing email: (KnowBe4)
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required: Your Amazon Prime Membership has been declined
Scammers play on human emotions to engage victims. Fear, urgency and willingness to help are all common ploys. Brand impersonation plays a major role in phishing emails. Making the recipient comfortable with correspondence from a familiar entity lends validity to the request.
The consequences of falling for a phishing attack can be detrimental in many ways, and can involve a loss of intellectual property, monetary loss, loss of revenue and customers, legal fees, compliance issues, personal and institutional reputation, downtime and recovery costs.
How can you protect against phishing attacks?
- Education - Condition your users to recognize the signs of phishing emails.
- Review the email address of the sender.
- Look at the reply to: address. Is this really going back to the legitimate resource?
- Inspect URLs in the email for legitimacy by hovering (not clicking) over them.
- Don't divulge login information or other personal information as requested.
- Verify any requests for information or money with the requestor personally. Do not respond through the email.
- Phishing awareness programs can reduce the risks of successful attacks by as much as 80 percent after a single year of training.
- Set up a secure email gateway (SEG) to monitor inbound and outbound emails.