Recognize and report phishing.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial loss. ~Phishing.org
Phishing is a form of social engineering, a term that applies to the ability to manipulate the victim. This deceptive practice can result in the target turning over controls of systems and data that can lead to fraudulent activity such as data theft, malware infections, ransomware, financial loss and credential theft.
Why do cyber crooks use phishing? Because it works. If the criminal can get a victim to voluntarily give them the treasures they seek then why would they try to break into complex networks and defenses?
Cybersecurity awareness programs should include the use of phishing simulations and end user education on a continuous basis. Processes for reporting suspicious emails or other activity will need to be in place. Once a user is familiarized with what a phish might look like it can assist with keeping the organization, and the user, in a safer environment.
Telltale signs of a phish
- Bad grammar or misspelling. Scrutinize the message carefully.
- Generic greeting. Watch for salutations that are generic in nature such as ‘Dear Valued Customer’ or ‘Hi [email]’
- It seems too good to be true. If you receive an amazing discount or free offer it’s probably not a reality.
- Sense of urgency or threat. ‘Act now to take advantage of this deal’ or ‘Failure to contact us will result in closure of your account’ are common messages. Do not click on a link within the email that will direct you to a login page. This is a way that miscreants can steal your credentials.
- Links and attachments. Hover over the links, without clicking, to display the true URL. Don’t open attachments that were not requested or the identity of the sender cannot be verified.
- Check the sender’s email address. The text may show that you are getting an email from John Smith, a coworker, but check the sender’s reply to address. Does it match?
But remember, phishing campaigns can be more sophisticated and may not be as obvious to spot. Policies and procedures should also be in place in order to create defenses to alleviate the likelihood of getting hooked. Securing sensitive information and financial assets will need internal processes to assure that unintentional leakage does not occur. Never transfer funds or change contact information relating to financial services without making personal contact with the recipient either in person or phone contact, NOT by links or response to emails.