By now, I’m sure everyone these days is aware of the word “Phishing” but might not be too familiar with the practice itself and the risks associated with it, so I thought it best to take a shallow dive into this topic this week.
With a recent report from Proofpoint showing that 86% of organisations faced bulk phishing attacks in 2021, and other reports showing that phishing attacks are on the rise, it is extremely important that we are all aware of what a phishing attack is and how we can protect ourselves and our organisations against these types of attacks.
In a nutshell, Phishing is the practice of malicious actors using social engineering tactics in order to get access to an individual or organisation’s network, information, or finances. The most common method of phishing involves sending emails to a list of addresses enticing the recipients to either open an attachment, click a link, send sensitive information like credentials, or transfer funds.
Some standard tell-tale signs of a phishing email include the following:
- Generic greetings (Dear Mr / Mrs / Miss)
- Bad grammar or spelling mistakes in the body of the email
- An incorrect, fraudulent or generic (e.g. gmail.com) FROM email address
- Unexpected attachments (likely malicious)
- Links in the text, usually via “buttons” or images, leading to an unknown site
Also remember that if something is too good to be true, it probably is, and if someone is using urgency to panic you into doing something, stop and think before you act, and preferably verify the request via other trusted communication methods (e.g. telephone call to a saved or verified number).
Most importantly, when dealing with written communication methods (e.g. email, SMS, instant messaging), it is extremely important to NEVER CLICK ON LINKS OR ATTACHMENTS unless you are 100% certain that they are expected, from the correct sender and legitimate in content and nature!
Although safeguards and filters exist for most personal and corporate email systems to protect users against phishing attacks, these malicious actors are becoming more and more sophisticated. This means that more phishing emails are making it through these protection systems and that these emails are becoming more convincing in nature and harder to spot. This is also the case for other forms of phishing, including via SMS, social media and instant messaging applications (e.g. Whatsapp, iMessages, Messenger).
This is why vigilance and knowledge is key when dealing with all types of communication in order to protect ourselves against bad actors looking to steal, extort and cheat us.
Some sound advice from a SANS Ouch! Newsletter tells us to ask ourselves the following questions before taking action on a suspicious message:
- Does the message create a heightened sense of urgency? Are you being pressured to bypass your organization’s security policies? Are you being rushed into making a mistake? The greater the pressure or sense of urgency, the more likely this is an attack.
- Does the email or message make sense? Would the CEO of your company urgently text you asking for help? Does your supervisor really need you to rush out and buy gift cards? Why would your bank or credit card company be asking for personal information they should already have about you? If the message seems odd or out of place, it may be an attack.
- Are you receiving a work-related email from a trusted coworker or perhaps your supervisor, but the email is using a personal email address such as @gmail.com?
- Did you receive an email or message from someone you know, but the wording, tone of voice or signature in the message is wrong and unusual?
Essentially, if you are not 100% sure of the legitimacy of an email, report it to the Information Security or IT department at work, or to a trusted source in your personal life. It’s also important to report it to the relevant email provider you use so that they can improve their email filtering systems and hopefully stop any similar future emails from making it through.