We’ve all gotten phished before. Phishing is the practice of using fraudulent emails and copies of legitimate websites to extract private data from users for illegal or malicious reasons. Every email user at some point in time will get some sort of phishing email. It’s nearly guaranteed, and their frequency is increasing each day.
As phishing attacks become more frequent, they also become harder to identify. Could you identify these scams 100% of the time?
The number of phishing sites rose 10 percent the first quarter of 2014. The U.S. ranks first among countries hosting phishing sites, according to a report by the Anti-Phishing Working Group. To make it more clear, as of January 2014, there are approximately 33,000 phishing attacks each month around the world and this number is rising literally by the day as attackers discover different types of weaknesses and more people purchase computers and other mobile devices such as phones and tablets.
So, what is the end goal of attackers who are carrying out phishing attacks? People phish in order to either obtain information or to drop malware. That malware can be deployed instantly or at a later date. That “later date” part is very important because you may not always see the consequences or effects immediately, it may take a good while. At the end of the day, we’re dealing with social engineering through electronic delivery. The more creative our electronics capabilities get, the more opportunities bad people will take to exploit those new technologies.
There are a few different types of phishing attacks everyone should be aware of:
- Smishing: Phishing using SMS Texting, prompting an action such as a phone call or clicking on a link.
- Spearphishing: Much more targeted attacks that usually pertain to a very small group after some amount of research on the targets has been conducted.
- Whaling: Phishing attacks that are specifically going after executives. A lot of the time on a one-by-one basis with information acquired through research or from previous successful spearphishing campaigns on colleagues.
With a little knowledge, it’s quite easy to avoid these types of scams. Without a keen eye, they can be received unnoticed. With the onslaught of private information becoming public facing through social media and social networking sites, phishing attacks are evolving. They are moving away from the original emails we would see, which were littered with grammatical errors and spelling mistakes, and are starting to mimic, or spoof, legitimate correspondence that may come from our colleagues, banks, schools, or even families.
There are two main ways in which we can empower our users to better recognize and report phishing attacks:
- Training: Inform your staff of certain triggers and cues they can look for that will enable them to become another sensor sitting on your network. Let them know what to look for in emails that appear “phishy” and give them a clear line of communication to a security expert who can help them determine whether it’s a legitimate email.
- Assessments: The training portion is good. You’ve got an awareness program set up, and your company has taken a great first step. But, how do you actually test whether training is working? You’re going to perform assessments. This is your way to test practical knowledge. You will mimic attack-type behavior to familiarize end users with tactics that are being used today. Between this and your training, you’re going to teach users to recognize difference cues and trigger through mock-phishing email campaigns.
This is an excerpt from the Global Knowledge white paper, Human Vulnerabilities in Our Current Threat Landscape.