Recognizing and Reporting Phishing
What is phishing?
The most common type of phishing is social engineering. Social engineering is when a hacker attempts to trick individuals or corporations into downloading malware that will provide the hacker access to sensitive data such as:
- Credit card details
- Passwords
- Personal Identifiable Information
Protecting against phishing attacks
Security awareness training and best practices
Organizations are encouraged to teach users how to recognize phishing scams and to develop best practices for dealing with suspicious emails and text messages. For example, users can be taught to recognize these and other characteristic features of phishing emails:
- Requests for sensitive or personal information, or to update profile or payment information
- Requests to send or move money
- File attachment(s) the recipient did not request or expect
- A sense of urgency, whether blatant (your account will be closed today…) or more subtle (e.g., a request from a colleague to pay an invoice immediately), threats of jail time, or other unrealistic consequences
- Poor spelling or grammar
- Inconsistent or spoofed sender address
- Links shortened using Bit.Ly or some other link-shortening service
- Images of text used in place of text (in messages or on web pages linked to in messages)
Organizations can also encourage or enforce best practices that put less pressure on employees to be phishing sleuths. For example, organizations can establish and communicate clarifying policies (e.g., a manager or colleague will never email a request to transfer funds). They can require employees to verify any request for personal or sensitive information by contacting the sender or visiting the sender’s legitimate site directly, using means other than those provided in the message. Managers can insist that employees report phishing attempts and suspicious emails to the IT or security group.
If a phishing attack is successful, the damage to an individual or corporation could be detrimental.
A successful attack could lead to:
- Identity theft
- Credit card fraud
- Ransomware attacks
- Data breaches
- Financial losses
Security technologies that fight phishing
Despite the best user training and rigorous best practices, users still make mistakes. Fortunately, several established and emerging endpoint and network security technologies can help security teams be on top of phishing.
- Spam filters and email security software use data on existing phishing scams and machine learning algorithms to identify suspected phishing emails (and other spam), then move them to a separate folder and disable any links they contain.
- Antivirus and anti-malware software detects and neutralizes malicious files or code in phishing emails.
- Multi-factor authentication requires at least one login credential in addition to a username and a password – for example, a one-time code sent to the user’s cell phone. By providing an additional last line of defense against phishing scams or other attacks that successfully compromise passwords, multi-factor authentication can undermine spear phishing attacks and prevent business email compromise.
- Web filters prevent users from visiting known malicious web sites (blacklisted sites) and displays alerts whenever users visit suspected malicious or fake websites.
Conclusion
Employees should be adequately trained on the prevention of phishing attacks. Hackers are constantly adapting their methods and the best practice for an organization is frequent training. Phishing attacks are the second most common cause of a data breach and the most expensive.
Recognize and report phishing attacks NOW. Don’t wait! Your actions can prevent cybercrime and protect your digital life!
You can read more about phishing and how to prevent it at the following websites or by doing a search on Google to find the relevant information.
https://apwg.org/?s=phishing
