What is a phishing
Phishing is a popular method used by Cyber criminals to acquire sensitive information from individuals or companies.
Sending fake emails, SMS and phone calls pretending to be from a trusted source or company such as Banks, Suppliers, Social media & research companies, the attacker gains the trust of the victim. They will then attempt to have the victim give them login credentials, credit card details or other information to allow them to carry out a further attack.
Example of a phishing attack
Currently the most common method of attack is via email. An email costs the attacker nothing and can send to 1000s of accounts simultaneously (called a spear phishing) in the hope that just 1 person will open that email infecting their PC or indeed the corporate network opening access to them from outside.
Steps to defend yourself
So how would you defend yourself against these kinds of attacks? By following the steps below along with common sense you can greatly reduce your risk of being caught by a Phishing trap.
Emails
- Does the sender match someone you know?
- Does the reply address match the sender?
- Did the email come in as SPAM/Junk?
- If you hover over the url link in the mail does it match ie www.paypal.com vs giesveiss.ag/login?
- Does it contain an unusual attachment?
- Is the email requesting change of bank/invoicing/payment details?
If you are unsure, contact your IT department for them to check it out first.
SMS
- Do you actually bank with that bank?
- Is the number/sender hidden?
- Did you actually enter a competition to win xxxx euros/dollars/ipad?
Call back your bank/company using the known telephone number to confirm if the SMS is indeed from them and if you need to do anything.
Phone calls
- If you are in the office and IT calls, is it showing an external number rather than extension?
- If you have a central directory does that person work for you and is that a valid external number if at a branch office/on-board a vessel?
- If it’s a research company what information should you really give them?
If unsure, take note of the telephone number that has called and name. Explain you will call back. Then call the correct/known number within your company to confirm the person. If the person is valid ok, if not ensure you report the number and name to your IT/security department for follow-up and to warn other staff.
Phishers will often call up pretending to be research companies in an attempt to gain knowledge about you or the company. If you need to deal with research companies again it is better to call a known number and confirm, but still be aware of what information you are giving to them.
Summary
I.T departments alone cannot combat this threat and this is why the Cyber criminals utilize it. Bypassing technology and praying on human weaknesses.
Phishing can however be combated by thinking before clicking, opening an attachment, replying to an email or giving out information on the phone.
Cybersail offers a End user awareness training session which includes more details on phishing as well as other Cyber threats.
Tip of the month is brought to you by
