“Were you hacked?”
Phishing Attacks Are on the Rise – How You Can Protect Yourself and Your Organization
It seems like everyday there are new attempts to hack into our systems. You see these emails; you may even have clicked on them – they look legit. The email appears to be from your coworker or even your boss so, of course you click on it without even thinking about it. But something just doesn’t seem quite right about that email. Your boss doesn’t usually misspell so many words or the company logo is missing from his signature. You start to wonder, did my boss really send me this request to go out and buy 10 gift cards? But it’s from the boss and it seems urgent, so you better do what he’s asking, right?
It’s not just happening to you.
According to AlertLogic, 76% of organizations experienced phishing attacks in 2017. There are two common types of phishing techniques: Email phishing scams and spear phishing. Incapsula.com explains these these two common types of phishing attacks.
Email Phishing Scams
Email phishing is when an attacker sends out thousands of fraudulent messages in the hopes of getting a few responses that will give the attacker money or important information. The example mentioned above where we got an email from the boss asking us to go out and purchase several $100 gift cards and then reveal the code to the “boss” via email, was one example of how an attacker used email spoofing to fool the recipient. The email not only gave the boss’s name but also had the same look and feel to the emails normally sent by the boss. There was also a sense of urgency that compelled us to act without fully vetting the request.
The second common type of phishing is known as spear phishing. This type of attack typically targets a specific person or organization instead of random individual users. This is a more in-depth form of phishing that requires researching specific information about an organization. These kind of emails will often come from someone you likely recognize, requesting that you click on a link to open a password-protected file that seems like it’s something you would typically receive from that person – such as an invoice – relating to a project you may be working on. Once you log into the password-protected document, the attacker now has your user credentials which they can then use to access more sensitive areas within the organization.
What can you do to protect yourself and your organization?
- Vigilance is key - Make sure you and your users are aware of these types of scams. Phishing attackers are getting better and better at spoofing email accounts. An email might look legitimate, but if you hover your mouse over the sender’s name, you might see a different email address than you expect from that individual.
- Don’t click on links until you’ve done your homework - Make sure the email address is correct. Is this something you were expecting to receive? If there’s an attachment, is it a typical file-type that you would normally exchange in your business (i.e. .pdf, .docx, .xlsx, etc)? Were you expecting to receive a file or link from this particular sender? It only takes a few seconds to copy and paste a sender’s email address or a hyperlink into a web browser and do a quick search to see if the search results support the information contained in the email.
- Make a phone call - In this world of text communication, don’t be afraid of the phone! Reach out and call the person who sent you the email and verify that they did, in fact, send you an email with a file attachment or a link that they need you to click on.
- Use two-factor authentication where available - Many secure accounts require two-factor authentication where you must provide your username and password as well as one additional piece of information, such as a random code sent via text to your cell phone. So, even if someone were to acquire your username and password for an application, you have an additional layer of protection.
How do we stop phishing?
- The best way you can help cut down on these phishing scams is by reporting them.
- If you get a suspicious email, forward it to email@example.com and to the person or organization being impersonated in the email. Ensure the full email header is included with the email.
- You can also report phishing to firstname.lastname@example.org. This is the Anti-Phishing Working Group; a group made up of ISPs, security vendors, financial institutions and law enforcement agencies which uses these reports to fight phishing attacks.
- You can also file a report with the Federal Trade Commission.