Phishing schemes have been top attack vectors for the past several years; they are 'tried and true' methods that generally result in a high level of success for attackers, granting them access to username and password details, bank accounts, social security numbers, email addresses, phone numbers, credit card numbers, and other sensitive information. As such, it is expected that the number of phishing attacks will soon surpass that of web-based application attacks.
The Threat of Phishing Attacks
A phishing scam works because of the human component. Victims are lured into a malicious link, opening attachments containing malware, or sharing personal information. The general strategy of a phisher involves three distinct operations: target selection of a specific individual, social engineering such as phishing messages, and technical engineering. Social engineering is by far the most malicious step in an attacker's process, as they customize their attacks to prey on each victim's emotions and unique fears.
Phishing efforts increase around the holiday season – beginning in October and continuing through January. During these months, people engage in a large amount of online shopping or donate more to charities, making them more likely to provide credentials and credit card numbers, or open attachments purportedly containing shipping or invoice information.
Keeping Your Organization Secure
An organization's security team is the first line of defense in protecting against phishing. Educating users to on how to recognize a phishing attack when navigating their inboxes is of primary importance as phishing schemes become more sophisticated and aggressive. Among other things, users should be wary of PDF and Zip file attachments, links with shortened URLs, certificate warnings, and any requests for login credentials.
A good rule of thumb is to not click on any links or open any attachments in an email from an unknown source. An added caveat is that phishing emails can be spoofed to appear as though they are from a friend, co-worker, or other contacts. If something in an email from a known source sends up a red flag, taking a moment to reach out to that contact through another channel to confirm the email could save hours of headache later.
Finding a Solution to Phishing
As a security team, there are several technology-focused steps – in addition to awareness training – you can take to prevent phishing. Clearly labeling all emails coming from outside the organization as "External" will protect against attackers attempting to spoof internal email addresses. Making use of dummy accounts and bot detection methods are helpful in the identification of potential attacks before they can affect users. Having controls such as anti-virus software, web-filtering, single sign-on, and multi-factor authentication in place can be crucial to reducing damage if a user does fall victim to a phishing scheme.
It is essential to treat a phishing attempt with the same seriousness of any cyber attack. For more information, and to help safeguard your company's data, contact Vandis to discuss a custom-built solution.