What is phishing?

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. 



How to identify a phishing attack

Recognizing a phishing attempt isn't always easy, but a few tips, a little discipline, and some common sense will go a long way. 

Here are a few more signs of a phishing attempt:

The email makes an offer that sounds too good to be true. It might say you've won the lottery, an expensive prize, or some other over-the-top item.  

  • You recognize the sender, but it's someone you don't talk to. Even if the sender's name is known to you, be suspicious if it's someone you don't normally communicate with, especially if the email's content has nothing to do with your normal job responsibilities. Same goes if you're cc'd in an email to folks you don't even know, or perhaps a group of colleagues from unrelated business units.
  • The message sounds scary. Beware if the email has charged or alarmist language to create a sense of urgency, exhorting you to click and “act now” before your account is terminated. Remember, responsible organizations do not ask for personal details over the Internet.
  • The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.
  • The message contains links that look a little off. Even if your spider sense is not tingling about any of the above, don't take any embedded hyperlinks at face value. Instead, hover your cursor over the link to see the actual URL. Be especially on the lookout for subtle misspellings in an otherwise familiar-looking website, because it indicates fakery. It's always better to directly type in the URL yourself rather than clicking on the embedded link.


Phishing examples:


1. Classic phishing email





2. Infected Attachments






3. Social Media Exploits



4. CEO Fraud Scams

The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt. When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought it was payday: 

5. Mobile Phishing

Mobile phishing attacks have increased by 475% from 2019 to 2020, according to a recent report by lookout.



At a minimum, use this checklist to help mitigate the threat:

  • Always use strong passwords
  • Encrypt or lock sensitive data
  • Don’t bypass built-in security, use multi-factor authentication options like fingerprint or facial recognition
  • Enable remote tracking
  • Enable your device to erase remotely
  • Never leave your device in a public place or anywhere it can be easily stolen
  • Only use apps available in your device’s app store - NEVER download them from a browser
  • Watch out for new apps from unknown developers or with limited/bad reviews
  • Keep your apps updated, this will ensure they have the latest security. If they’re no longer supported by the app store, just delete them!
  • Think before you click any links in text messages or emails on your mobile device
  • Never jailbreak your iOS or root your Android - that leads to unrestricted access, making it way too easy for hackers
  • Always turn off WiFi when you aren’t using it or don’t need it
  • Don’t allow your device to auto-join unfamiliar WiFi networks
  • Don’t send sensitive information over WiFi unless you’re absolutely certain it’s a secure network
  • If you’re able to, disable automatic Bluetooth pairing and always turn off Bluetooth when it isn’t needed
  • NEVER save your login information when you’re using a web browser



How do I protect myself against phishing emails?

here are a few of the most important practices to keep you safe:

  • Don't open e-mails from senders you are not familiar with.
  • Don't ever click on a link inside of an e-mail unless you know exactly where it is going.
  • To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
  • Lookout for the digital certificate of a website.
  • If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.” It's not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it's more secure. HTTP sites, even legitimate ones, are vulnerable to hackers. 
  • If you suspect an e-mail isn't legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
  • Mouseover the link to see if it's a legitimate link.

 

Avoid phishing scam


1. Keep Informed About Phishing Techniques 


2. Think Before You Click! 


3. Verify a Site’s Security 


4. Check Your Online Accounts Regularly  


5. Be Wary of Pop-Ups 


6. Keep Your Browser Up to Date 


7. Never Give Out Personal Information 


8. Use Antivirus Software