Phishing Attacks: The Do's and Don’ts
For organizations, "the risk of experiencing a data breach in higher than ever with almost half of organizations suffering at least one security incident in the last 12 months," according to Experian’s 2015 Data Breach Industry Forecast. With experts predicting phishing cyberattacks and ransomware likely to escalate in 2015, organizations need to increase investments in security technologies.
“It is imperative to understand that employees are the first line of defense in preventing malicious emails, Internet files, FTP sites, file-sharing services, etc., from infecting your computer, which ultimately can spread to all the computers at the office,” says Dennis Spalding, chief information security officer at Insight.
Types of phishing attacks
According to the United States Computer Emergency Readiness Team (US-CERT), “phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.” These techniques, originating from phishing emails, can include links to fraudulent websites, malicious code and solicit personal information.
Cybercriminals may also call or text you, claiming to be from a reputable company in which you do business. They’ll offer to help solve or sell something you need, or claim you’ve won a prize. And if you give these phone scammers access to your computer, they can trick you to install malicious software, visit fraudulent websites and share credit card information.
Phishing emails and phone calls can also serve as vehicles for ransomware attacks, which can mislead you to encrypt the data on your computer’s hard drive. Then cybercriminals hold the information hostage until payment is made to unlock it.
Most common phishing attacks
Phishing attacks that direct a user to fraudulent websites — known as spoofed websites — that mimic real sites are the most common attack methods used. In fact, the common attack vector in the recent healthcare breaches has been from keys and certificates, which are actually designed to create trust and assurance. When they are used against you, it creates a scenario in which it is difficult to know what can and cannot be trusted.
Scanning the entire Internet regularly to identify spoofed websites or rogue certificates is a monumental task, and revocation lists have proven to be easily defeated. In fact, only 30% of victims discover the breach themselves — most are notified by external third parties.”
Targeted phishing attacks
Spear phishing is distinct from phishing in its customized nature, and usually involves research by the attacker. For example, a spear phishing email may appear to come from within an organization, perhaps from its IT department. Spear phishing, according to Verizon’s 2014 Data Breach Investigations Report, is one of the most commonly used tactics in cyber-espionage.
It’s surprising that tool kits are available to help cybercriminals alter, or spoof, your business telephone number from where the call originated. A quick search on your company’s website can provide a hacker with a commonly used office phone number. This can give hackers credibility by calling you from a recognizable number. Consequently, when the hacker poses as IT support and asks for your password credentials to service your account, you may be more willing to provide that information.
While the criminals are getting better, as shown by the 2015 Internet Security Threat Report from Symantec, there are ways to help prevent protected health information from being compromised.
Phishing attacks dos and don’ts
Do ask yourself if the email is from someone you know, or if the subject line is odd or suspect.
Don’t open suspect emails claiming to be from a financial institution, the IRS, the Federal Deposit Insurance Corp. or other trustworthy organization if you are not expecting them. Common phishing phrases include “verify your account,” “Dear Valued Customer,” “within the next 48 hours,” “click this link” and “open this attachment.” Phishing emails are also known to contain spelling mistakes and bad grammar; threats; attachments with incorrect or suspicious filenames or extensions (e.g., .zip, .exe, .vbs, .bin, .com, .pif or .zzx); and links for unexpected e-cards, tracking for unknown packages, pictures or videos.
Do ask yourself if you were expecting a new document or zip file.
Don’t open any attachments, even if it’s from someone you know. If you weren’t expecting grandma to send you an email containing your bank statements, for instance, ask her if she did send you something before opening it.
Do delete any suspicious emails from your inbox and then from your deleted folder.
Don’t click — only hover your mouse over — links in suspicious emails to see the real web address. If it doesn’t match the link typed in the message where the email says it will take you, it could lead you to a suspicious “.exe” file, which will spread malicious software on your computer. Even if the links match, it’s better not to click links in emails unless you’re absolutely certain it comes from a reliable source.
Do verify the legitimacy of requests or sources. Look up the company contact information from which the email, text or call claims to be. Then call the company yourself to verify that the email or text is legitimate. If you get a phone call, let the caller know you will call the company back. If you suspect a credit card scam, hang up with the caller and dial the toll-free number on the back of your credit card to verify the call.
Don’t provide any personal information (i.e., login, account information, date of birth, social security number, etc.) via email, phone, text or social messages.
Do report phishing scams in the United States to the Federal Trade Commission (FTC), using this interactive form.
Don’t be unfamiliar with your company’s policies and procedures regarding access to data as well as key and certificate authenticity.
Do participate in up-to-date security training sessions within your organization, as well as stay up to date on the latest phishing, spamming and other email scams through the U.S. government’s official web portal, USA.gov.
Don’t visit websites that contain pirated information. "When browsing websites, don’t visit or download files from suspicious websites," advises Richee Jesky, engineer Sr., service provisioning RNOC at Insight. "If downloading a file, always download it from the vendor’s or author’s website. This will eliminate the chances of getting pirated software."
Do scan files for viruses before downloading them from the Internet and opening them. "This can be accomplished by going to the downloads folder, right clicking on the file and then choosing 'scan for viruses,'" Jesky advises.
If you think you’ve downloaded malware or allowed a cybercriminal to access your computer, the FTC recommends getting rid of malware, changing any passwords you shared, asking your credit card provider to reverse any charges you made for bogus services or products, visiting its identity theft website and filing a complaint.
“As always, the recommended and first line of defense is to prevent infection in the first place,” Spalding says.