New research shows phishing scams remain a significant cybersecurity issue. Here are some ways to avoid being the next victim.
Phishing just won’t go away. In fact, it’s getting worse. A recent Proof point cyber security survey identified phishing attacks as one of the top data security problems facing businesses, with 83% of organizations worldwide reporting attacks in 2018. Overall, respondents answered a quarter of the survey’s phishing threats and data protection questions incorrectly – a serious concern for IT departments everywhere given the emphasis placed on detecting and avoiding these attacks.
Proofpoint surveyed companies in 16 industries and evaluated more than 20 departments. Communications divisions responded the most accurately, with Customer Service, Facilities and – ironically – Security doing the worst. Finance industry respondents were the most knowledgeable while Education and Transportation brought up the rear, missing 76% of the questions.
What’s going on? Organizations seem to be getting worse at preventing phishing attacks. Fortunately there are some fairly simple ways to improve. Perhaps it’s time for a refresher.
What is phishing and how does it work?
Phishing definition: a fraudulent attempt to trick individuals into divulging sensitive information (usernames, passwords and banking details) by pretending to be a trusted source, often through an email communication.
Spear phishing – a more personalized way of targeting a victim – leverages three potential weaknesses in a recipient:
The apparent source appears to be a known and trusted individual
The message contains information supporting its validity
The request seems to have a logical basis
Phishing emails typically try to lure the recipient into doing one of two things: a) handing over sensitive or valuable information; or b) downloading malware. There are several types of phishing, and each has the potential to wreak havoc in an organization.
How to avoid phishing scams
From an organizational perspective, the FTC provides a helpful overview and good advice for recognizing and avoiding phishing.
- Protect all computers in the organization by using security software. Set the software to update automatically so it can deal with any new security threats.
- Protect all mobile phones and tablets by instituting a mandatory update policy on devices that access your network. These updates could give you critical protection against security threats.
- Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to an account. This is called multi-factor authentication. The additional credentials required to log in to an account fall into two categories:
- Something a user has – like a passcode you get via text message or an authentication app.
- Something a user is—like a scan of a fingerprint, a retina, or their face.
- Protect your data by backing it up. Back up data and make sure those backups aren’t connected to the usual network – for example copy computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
These are critically important and useful steps toward safeguarding yourself and your organization against cybercriminals. In addition:
After employing the above, train staff to read all emails with a critical eye:
- Never trust any source that requests sensitive information via email.
- Is the email professionally written? Misspelling and grammatical errors are hints you’re being phished.
- Never trust a source that doesn’t know your name and account information. If the greeting is generic, it’s probably a scam.
- Watch for overly urgent subject lines and language like “Verify your account.” Emails saying your account has been compromised frequently tip off a phishing attack.
- Does the email contain attachments? If it’s an unsolicited approach with an attachment, it may well be a scam.
- Is the email from a legitimate domain? If the @domain.com part of the email doesn’t exactly match the corporate web site URL, it’s likely a scam.
- Make sure the site is secure – does the URL begin with “https”? When you mouse over the link is there a closed lock icon near the address bar?
- Is your browser up to date? Companies release patches for newly detected malware all the time, so let their developers do the hard work for you.
- Install an anti-phishing toolbar or plugin on your browser.
- Does the email’s message contain a shortened URL? Hover over it (but don’t click). Check your status bar – does it show a legitimate address? If not, it’s a scam.
- Instead of clicking on a suspicious link, type the institution’s root URL (the https://abc.com part) of the into the browser to access the web site.
- Stay informed. When you Google “how to avoid phishing” the search returns well over 15 million results, so it isn’t difficult to stay abreast of the latest news and prevention best practices. Pay close attention when there’s a story about a new tactic.
- Retake your company’s security and anti-phishing training. If you score less than 100% study up and try again.
- Instead of double-clicking a suspicious file, upload it to an online document reader like Google Drive, which will convert it into HTML or a PDF. This will allow you to review the document while preventing it from installing malware on your device.
- Be wary of pop-ups, which are frequently employed in phishing attacks. Most commonly used browsers allow you to block pop-ups by default.
- Trust your gut. Does the email feel different or off? If it purports to be from someone you know, is its content inconsistent with the tone and vocabulary you’re used to from the source?
- When in doubt, do not click. Make “don’t click” your default setting. Only click a link once you’re sure it’s safe.
- Report potential phishing emails to IT or, if they’re allegedly from someone you know contact them to ask if they sent it.
Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But organizations can do a lot from a policy, procedures and training perspective to be more aware of phishing and how it works.
Hope this article helpful for you. Thank You
If You Appreciate What We Do Here On Hackonology, You Should Consider:
Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.
Let's be a part of Hacker's Community! Join our Hacking Team
We Are Indian We Are Great