- September 13, 2018
- Posted by: Jim Lund
- Category: IT Security
8 Things You Need Understand About Phishing
- What is Phishing?
Phishing is a type of fraud in which a Scammer attempts to gather personal information by impersonating a legitimate source or by sending users to a malicious web site. Scammers try to obtain any information that could help them pose as someone else, usually to steal money or intellectual property. This is done either through the surreptitious installation of malware, impersonating a legitimate site and stealing login credentials, or simply via a conversation.
- The sender of that email may not be legitimate
You should never trust an email based simply on the purported source. Cyber criminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the emails are really coming from a malicious source.
- Enticing or aggressive subject lines are used to lure people in.
Cyber criminals will do whatever it takes to get people open their emails. They often use enticing or threatening language in subject lines that urge immediate action. They may promise “free iPhones to the first 100 respondents,” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic.
- Impersonal greetings should be a red flag.
Since phishing emails are often sent to many people at once, they usually lack personal greetings. They often use generic terms like “customer,” “employee,” or “patient.” Your employees should be cautious of these terms especially if the email is asking for personal information.
- That it is important to notice grammatical and stylistic errors.
You need to read their emails carefully, not just skim them. Many phishing attacks come from other countries, so these emails are often written by non-native English speakers. This results in a plethora of grammar and stylistic issues. If an email from a supposedly reputable company has spelling and grammar issues, it is probably a scam.
- It is important to check the link destination.
Make sure you hover over all links before clicking them. Pop-up bubbles will display the link’s real destination. If it is not the website expected, it is probably a phishing attack. It is most important to make sure that the core of the URL is correct. Be especially cautious of known websites suddenly ending in alternative domain names instead of .com or .org.
- Emails demanding “immediate action” are probably scams.
Emails that have an aggressive tone or claim that immediate action must be taken should be considered a potential scam. This technique is often used to scare people into giving up confidential information.
- You can’t rely on images or logos.
Images can be downloaded or easily replicated. Brand logos and trademarks are no guarantee that an email is real. Even anti-virus badges can be inserted into emails to persuade victims into thinking there is no real threat. None of these add any actual legitimacy to an email.
Ensuring you understand the signs of phishing is an important defense against an attack in addition to technical measures.
You or another employee spotted a phishing email, now what?
Check with your company and make sure there is a system in place to report attacks and make sure everyone understands how important it is to follow through in reporting it. They may think that just deleting the offending email is perfectly fine, but your IT needs to know if your company is being targeted. Always make sure that your internal IT department is contacted as soon as possible after you or someone else spots a phishing email, so that IT can take appropriate action.
Fox would be happy to help develop with you a set of Policy and Procedures to for these issues. Please feel free to reach out to us for help.