Phishing is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted
entity, dupes a victim into opening an email, instant message, or text message. The recipient
is then tricked into clicking a malicious link, which can lead to the installation of malware,
the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
This article will talk about the types of phishing techniques and the prevention.
Here's a brief look at five common phishing threats that often arise in enterprise settings.
Each example features "Bob," a mid-level employee in the finance department who is trying to
get through his busy day and respond to hundreds of emails.
1. Breach of Trust - Bob gets an email from what he thinks is his bank asking
him to confirm a wire transfer. The email takes him to a link that looks like his bank's website
but it is actually a "spoofed" but identical copy of his bank's website. When he gets to the
page, he entered his credential but nothing happened. Too late, Bob just gave his bank password
to a cybercriminal.
2. False Lottery - Bob gets an email saying he's won a prize from a sweepstakes.
Normally, Bob is too savvy to fall for this trick. However, this email comes from his boss,
Joe, and references a charity that they both support. He clicks, and ends up at a bogus page
that loads malware.
3. Data Update - Bob gets an email from Joe telling him to take a look at a document
that is attached. The document contains malware. Bob may not even realize what has happened.
He looks at the document, which seems normal. The resulting malware might log his keystrokes
for months, compromise the entire network, and lead to massive security breaches throughout
4. Sentimental Abuse - Bob gets an email from someone claiming to be Joe's brother-in-law.
He's suffering from cancer and has had his insurance cancelled. He asks Bob to donate to help
him recover from his illness. Bob clicks on the link and is taken to a bogus charity site.
The site could host malware or just steal Bob's credit card information via a bogus "online donation".
5. Impersonation - Bob gets an email from his boss Joe, who says that he needs
money wired to a known vendor as pre-payment for an emergency job. Can Bob wire them the money
right away? It seems fairly routine. Bob wires the money to the account requested. The money
is untraceable and never seen again.
Prevent Phishing Attacks
1. Keep Informed About Phishing Techniques - New phishing scams are being developed
all the time. Without staying on top of these new phishing techniques, you could inadvertently
fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about
them as early as possible, you will be at much lower risk of getting snared by one. For IT
administrators, ongoing security awareness training and simulated phishing for all users is
highly recommended in keeping security top of mind throughout the organization.
2. Think Before You Click! - It's fine to click on links when you're on trusted
sites. Clicking on links that appear in random emails and instant messages, however, isn't
such a smart move. Hover over links that you are unsure of before clicking on them. Do they
lead where they are supposed to lead? A phishing email may claim to be from a legitimate company
and when you click the link to the website, it may look exactly like the real website. The
email may ask you to fill in the information but the email may not contain your name. Most
phishing emails will start with "Dear Customer" so you should be alert when you come across these
emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
3. Install an Anti-Phishing Toolbar - Most popular Internet browsers can be customized
with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting
and compare them to lists of known phishing sites. If you stumble upon a malicious site, the
toolbar will alert you about it. This is just one more layer of protection against phishing
scams, and it is completely free.