Although they are pronounced the same, phishing is far from the favorite childhood pastime associated with boats and dads. The only similarity comes from the term “phishing,” referencing the act of casting a baited hook with the hopes of catching a bite. As you may have guessed by now, phishing is a form of a cybersecurity attack aiming to trick a user into revealing sensitive information via electronic communication methods such as email, text, social media, and more. The idea for this reminder blog on phishing came from an executive who reached out to SWAT when he received a very convincing email from “Microsoft.” We will help you better understand what phishing is, explain best practices to protect you and your company, and show you a screenshot of the fake email our client sent in.
What is phishing?
Phishing can be simply defined as scammers trying to trick targets into doing what the scammer wants. Cyber criminals often utilize social engineering, defined by CSO Online as “the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.” Humans make mistakes and IBM’s “2014 Cyber Security Intelligence Index” reported that 95 percent of all security incidents involve human error! Unfortunately, humans often have access to the most sensitive information a company possesses, and we are much easier to trick than computers.
The exact method of phishing varies. One common occurrence is receiving a fake link via email from the scammer, disguised as a trustworthy source. The user may be prompted to enter personal information like passwords, user IDs, credit card details, addresses, social security numbers, and more. An alternate route is asking the user to download malicious software that is camouflaged, meaning the user has now downloaded a virus that the hacker can use to enter their computer and gather information.
Although we do not want to scare you, it is imperative that our readers and clients understand the reality of phishing and how difficult it can be to detect. There are different types of phishing with varying goals, and we will identify two main methods:
- Spear phishing is a more advanced attack than general phishing, targeting a specific group or even a specific individual. According to Tripwire, “in spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.”
- Whaling means targeting the “big ones”, just as the name might suggest. Whaling attacks are aimed towards executives and their highly sensitive login or personal information. If a hacker can successfully take over an executive’s email, they can use said email to send additional phishing attacks to employees under the disguise of a trusted management figure.
How do I protect myself from phishing?
While it is crucial to understand what phishing is, it is even more important to understand how to take action and protect yourself against these attacks.
- Do not rely on technology. While firewalls, anti-spyware software, and email filters exist to attempt to block mass phishing emails, they are absolutely not foolproof, and it is up to you to stay aware at all times.
- Do not click on anything from an unknown sender. This includes downloading files or opening any attachments. If the email includes unexpected attachments from a seemingly familiar sender, it is best practice to ask the person just in case their email has been compromised and you are the target of a spear phishing attack.
- Do not enter personal information on a pop-up screen or on an unsecured website. A safe website can be identified through “https://” (with the s standing for secure) at the beginning of the address and a lock icon.
- Do not comply with threats. If an email is pressing with an urgent deadline asking for personal information, it may very well be a phishing email trying to scare users into entering information. Click here for an example of PayPal scams and how to identify fraudulent emails and websites.
- When in doubt, ask for help. Part of our job here at SWAT is to help our clients identify cyber-attacks and shut down phishing before the bait is taken. Below is an example of a client forwarding a suspicious email. Take a look at the “From” email address. Also, the link text was a valid Microsoft link, but was coded to take the user to a different URL after it was clicked on.