Gone Phishin': What to Watch for and How to Keep from Being a "Big Phish"
Have you heard of phishing? And no, I don’t mean casting a hook into water with high hopes of landing the mother of all fish to brag about with friends. Although, this isn’t far from what happens in the social engineering techniques employed to deceive users... Which hacker can obtain the greatest amount of information by exploiting your weakness?
Let’s examine a couple types of phishing.
Spear phishing
Spear phishing is an attempt by the hacker to target specific individuals. These anglers are after access to company information. They might do research on you to add details that personalize the email and increase the success rate. For example: that recent vacation you took to the Bahamas was certainly brag-worthy. However, your extensive posting on Facebook without locking down your profile means this hacker just gained the perfect in by mentioning your penchant for body surfing your way across the globe. “They must know me, that’s such personal information!” Don’t fall for it.
CEO fraud or “Whaling”
CEO fraud has been on the rise lately. This is where the email recipient receives an email from the CEO of their company. (Who wouldn’t open that, right?) The domain of the email has been spoofed to look like it came from your organization. The hacker might even add details that have been researched about the CEO to make the email more believable or send the email at a time that you know the CEO is out of the office. And, just like that, you’re caught... hook, line, and sinker.
What to watch for
Ever received an email that's probably “too good to be true”? Chances are, it is. Be suspicious of emails claiming you’ve won a free cruise or an iPad and use caution before clicking on links or providing your credentials.
Remember that email from your boss telling you how urgent it is that you get back to them? Or how urgent it is that you provide passwords or wire money to an account? Your organization should establish guidelines as to what information should be sent or requested via email. If something is urgent or sensitive, meet face to face or over the phone. And always have a way to verify the validity of a request.
- Check your hyperlinks.
If you get an email from your financial institution that looks suspicious, hover over the buttons and links to make sure they are going to where they should. Check for off spellings in words or URLs that don’t match the website.
- Verify attachments.
If you receive an attachment from someone you weren’t expecting, use caution before opening it. Attachments could easily contain an executable file that could infect your computer with a virus or ransomware.
- Verify the sender of an email.
If you have never received an email from someone before, and now they’re asking you to download files or provide information, run through the checklist to verify if the email seems safe. Are the links legitimate? Are they asking for information they should receive? Does the attachment apply to the situation?
There are so many hacking and phishing techniques out there and the threat continues to grow. We can all take a part in protecting ourselves and our organization by using caution and validating anything we are uncertain of. I highly recommend your organization create a process for reporting phishing emails to your email provider and invest in a high-quality email security service. It’s the data security equivalent to wearing your lifejacket on a fishing boat.
Stay safe out there, don’t take the bait.