Phishing schemes have been top attack vectors for the past several years. They are “tried and true” methods that generally result in a high level of success for attackers, granting them access to login credentials, account numbers, social security numbers, email addresses, phone numbers, credit card numbers, and other personally identifiable information. As such, it is expected that the number of phishing attacks will soon surpass that of web-based application attacks.
Phishing works because of the human component. Victims are lured into clicking links to malicious websites, opening attachments containing malware, or sharing personal information. The general strategy of a phisher involves three distinct operations: target selection, social engineering, and technical engineering. Social engineering is by far the most malicious step in an attacker’s process, as they customize their attacks to prey on each victim’s individual emotions and unique fears. Phishing efforts increase around the holiday season – beginning in October and continuing through January. During these months, people engage in a large amount of online shopping or donate more to charities, making them more likely to provide credentials and credit card numbers, or open attachments purportedly containing shipping or invoice information.
An organization’s security team is the first line of defense in protecting against phishing. Educating users to “ask questions first, click second,” when navigating their inboxes is of primary importance as phishing schemes become more sophisticated and aggressive. Among other things, users should be wary of PDF and Zip file attachments, links with shortened URLs, certificate warnings, and any requests for login credentials. A good rule of thumb is to not click on any links or open any attachments in an e-mail from an unknown source. An added caveat is that phishing e-mails can be spoofed to appear as though they are from a friend, co-worker, or other contact. If something in an e-mail from a known source sends up a red flag, taking a moment to reach out to that contact through another channel to confirm the e-mail could save hours of headache later.
As a security team, there are a number of technology-focused steps – in addition to awareness training – you can take to prevent phishing. Clearly labeling all e-mails coming from outside the organization as “External” will protect against attackers attempting to spoof internal e-mail addresses. Making use of dummy accounts and bot detection methods are helpful in the identification of potential attacks before they can affect users. Having controls such as anti-virus software, web-filtering, single sign-on, and multi-factor authentication in place can be crucial to reducing damage in the event that a user does fall victim to a phishing scheme.
Click here to view our source article 2018 Phishing and Fraud Report: Attacks Peak During the Holidays by Ray Pompon, Debbie Walkowski, Sara Boddy, and Mike Levin at F5 Labs. This article goes into great detail about the growing ubiquity of phishing schemes and how you can safeguard your organization from them. Through our partnerships with industry leaders like F5 Networks, Vandis can help to safeguard your organization’s network from the effects of potential phishing attacks. Call us at 516-281-2200 or e-mail email@example.com to discuss a custom solution.