What is Phishing? and how to protect your self from it
Phishing is a form of social engineering that uses the act of deception to steal sensitive information from members of the public. This can occur in an array of formats, such as email, telephone and text.
Spear Phishing is a type of a phishing attack, which can target both individuals and specific groups. Often research will be undertaken on intended targets; this could include reviewing their social media networks and accessing information that is publicly available online. Attackers will utilise data to create convincing correspondence with potential victims, in attempt to coerce them into submitting additional personal and non-public information.
How Phishing Works
Phishing techniques range from password and data theft, to malware intrusion and system compromise.
Email phishing consists of sending an email to the intended victim to request information and may direct users to: click on a link to visit a spoofed site, where they will be prompted to enter their username and password; download email attachments, which in turn execute malware; visit a malicious website that triggers malware.
Phishing messages can impersonate reputable organisations in attempt to exploit trust. Warning signs to look out for include: requests for an urgent response; requests for personal information; opportunities to win money or gifts. Other possible indicators of phishing scams can be poor spelling or grammar and referring to mismatched URLs.
Protecting Against Phishing: Advice for IT administrators
- Implement and request two-factor authentication (2FA)
2FA acts as a protective mechanism when passwords are compromised, as users’ accounts will remain secured. Without having control of an individual’s device, attackers will be unable to gain access. The most reliable approach involves the use of a Universal 2nd Factor (U2F) compatible USB interface; these are plugged in to users’ computers and enable them to log in quickly and safely.
- Encourage users to regularly update devices
Devices that are using older versions of software and those without security enabled features are more likely to be compromised.
- Gain visibility regarding the devices that are accessing your network
Many companies have utilised Bring Your Own Device (BOYD) schemes; however, using personal computers and smartphones to access an organisation’s resources can elevate threats to a business. When work applications are being accessed from a personal device, consideration could be given to using an endpoint solution. This can assist with improving access management policies, as well as incorporating more rigorous security controls.
Protecting Against Phishing: Advice for users
- Manually type in URLs, rather than clicking on hyperlinks contained in emails
Bear in mind that hyperlinks contained in emails may be disingenuous. Ensure that you manually type in the domain name before entering any confidential information online.
- Activate two-factor authentication (2FA) for each account
Free mobile authentication applications such as Google Authenticator enable 2FA to protect against unauthorised access. Alternatively, passcode-based methods that are set up on your mobile app to create unique passcodes, can provide added protection against phishing scams.
- Be aware of certain social cues, urgent requests, and gifts or money offers
Offers of gifts and money can attract a user’s attention; if something sounds too good to be true, be wary! Phishing attacks can often attempt to invoke a sense of urgency and play upon a user’s emotions to provoke a quick response, such as requests for account updates and outstanding payments.
- Beware of social media, entertainment or reward scams
Phishing attacks using social media sites have significantly increased in recent years and pray upon the established trust between users and the brand or platform. Be vigilant when using social media, particularly when personal details are requested.
- If in doubt, seek verification from the sender
If you cannot verify authenticity in person, call or contact the sender using a different messenger service to ensure that the request is genuine. Bear in mind that other channels may also have been compromised and therefore if you suspect foul-play, contact your IT or security team for clarification.
- Ensure that software is regularly updated
Keeping applications and computers up-to-date will help to protect against phishing attacks. Regularly check for, and run software updates. Where possible, use software that automatically updates.
- Take a phishing course
There are many free courses out there to help you identify phishing emails such as https://www.phishingbox.com/phishing-test.Unfortunately, phishing is here to stay. Keeping abreast of the latest phishing scams and online protection techniques can help to safeguard your data; but should the worst happen, ensure that you are covered.
For more information on Cyber Cover, contact our team today to talk through your options.