These days hackers are casting their net wider to catch a greater variety of phish, their success aided by a new breed of strategically crafted email campaigns that even the most savvy user can be duped into clicking through.
And not every phish is created equal. Tactics have evolved beyond spear phishing – whaling, smishing and vishing are among some of the newer additions to the cybersecurity vernacular that is reverberating in board rooms across the globe.
With phishing reported among the top three cybercrimes of 2017 (source: FBI), everyone is a target. And the catch can be bountiful – with hacker victories ranging from surreptitiously installing malware, stealing user credentials, and eliciting revenue through ransomware infections.
Read on for our tips to avoid being scooped up in the net.
- Be Aware
- Slow down: Phish attempts want you to act first and think later. If the message is overtly enticing, conveys a sense of urgency, or uses high-pressure tactics be sceptical; don’t let urgency compromise security.
- Process the information: Look closely at the sender’s full address not just what is automatically displayed (you can usually do this by hovering over or clicking on the sender’s name). Do you recognise them? If from a supposed credible source, is there something suspect about the time or manner in which the email was sent? Does the email context and behavior seem appropriate?
- Pay particular attention to embedded links and attached files. Never click or open without further inspection – something as seemingly innocuous as a typo could be a red flag. Hover over links to verify legitimacy of the URL before clicking and exercise caution if prompted to download attachments, especially .exe/.zip/.rar files.
- Spot the bait – sensitive information and banking links are honey holes. Don’t be tempted to open that confidential employee salary info you ‘accidentally’ just received. Likewise, don’t supply any personal information, no matter how enticing the incentive is. Be mindful that most financial organizations will never email you a link to their login page – if you get a message directing you to login always do so by separately browsing to the organization’s legitimate portal.
- Have a look online: if you are requested to go to a site, do so by researching the website yourself. Search to see if there are warnings reported about the site.
- Instinct: If nothing on the surface looks malicious but it still doesn’t feel legit then trust your instinct! Report the suspected phishing attempt to your IT support desk immediately for their verification. If it’s not fraudulent, no harm done. When it comes to cybersecurity it’s better to play it safe
- Use The Right Tools To Avoid That Phishing Line
Whether your IT infrastructure is managed internally or by a third party, having the right technology to counter any initial compromise attempts is key. We share some of the tools and best practices we deploy here at Options to protect our employees and clients from catching that shiny bait.
- User awareness and training: Conduct regular company-wide internal phishing tests so your employees can learn the telltale signs. Additional follow-up training should be mandatory for those who fail.
- Robust filtering technologies: On the backend, we deploy filtering technologies such as Fortimail to detect phishing and spam attempts – these reference a number of commercial databases that collect information about malicious email sources.
- Quarantine emails with ‘at risk’ attachments: Capture emails in quarantine that have attachment types that may carry malware (.zip/rar files, even jpegs can act as a mask for an executable program if saved to a local machine).
- Play it safe with macro enabled attachments: These too are captured in our email quarantine. Even if a macro enabled sheet makes it through the email filters, our security policies prevent macros from launching automatically – acting as another checkpoint in the process to preventing a phishing attempt.
- Keep web filters updated: In the unfortunate event an employee did take the click bait, ensuring the latest malicious websites are blocked will minimize the risk of malware infection.
- Leave no margin for error with anti-virus software: With the frequency of cyber attacks, enterprise antivirus software is evolving. We ensure our estate is constantly updated as a matter of priority to ensure that those with nefarious intentions are always met with resistance.
- Pay Heed To Those Cautionary Tales…
Even the people that are deemed high level security can fall victim to phishing and social engineer attempts. I leave you with this story of how a teenager used social engineering to attack the heart of US security – the FBI and CIA.
Mark Marwood, Technical Account Manager