Despite general awareness regarding phishing (we have written about phishing in a prior post), it still remains one of the most common ways to accomplish cyberattacks. It should be no surprise that cybercriminals are constantly coming up with more elaborate and sophisticated ways to gain access to sensitive systems and data. A recent CIO.com article lists three measures designed to deter phishing and related attacks, which we have summarized below.
- Awareness: Organizations and their employees should be aware of the types of “phishing” attacks that are now commonplace. Some examples include the following:
- Email Phishing: Email phishing involves the receipt of an email that either has an attachment which, when opened, downloads malicious code into the recipient’s system, or a link that takes the recipient to an external website and requests that the recipient enter sensitive information.
- Spear Phishing: Spear phishing is a type of email phishing where the cybercriminal sends targeted emails looking for specific information.
- Whaling: Whaling is a type of email phishing that targets senior executives.
- Smishing: Smishing is similar to email phishing except that it involves contacting the recipient over text (SMS) messages, instead of email.
- Vishing: Vishing is a type of phishing that uses Voice over IP (VoIP) and Plain Old Telephone Services (POTS) where cybercriminals solicit victims for account details and login credentials.
- Training: One of the best defenses is to provide security awareness training to employees. Some practices that companies may want to incorporate into their training include the following:
- Employees should be reminded that legitimate companies will not ask for passwords, personal, financial, or corporate information. If such a request is made, confirm with the requesting organization before giving out information.
- Employees should not click on URLs unless the recipient trusts the source (including embedded address links in the email or links that are copied and pasted).
- Employees should check the sender’s email or telephone number and if the sender is unknown, be careful about opening the message, especially if the email address looks “odd.”
- Employees should look for spelling and grammatical errors in messages, including evidence of poor translations.
- Employees should not enter login credentials or share, access, or create sensitive data without fully confirming the requesting party (including the individual at that party).
- Technology: Software and systems can help with threat detection and prevention. Organizations should consider implementing the following:
- One-click reporting for suspicious emails, and automated categorization, analysis, and management of reported emails
- State of the art anti-malware, antivirus, and anti-spam tools.
- Enhanced back-office monitoring systems to detect suspicious activities as soon as possible.
Additional details on the measures an organization can take to help prevent phishing attacks are available in the CIO.com article.