Phishing is a type of social engineering where an attacker sends a fraudulent message to trick a victim into revealing sensitive information, such as passwords or credit card data, or to deploy malicious software like ransomware. It is perhaps the oldest trick in the cybercrime book, and yet the most efficient. So how to prevent phishing in the workplace?
According to the 2021 State of the Phish report by Proofpoint, 57% of respondents said their organization experienced a successful phishing attack in 2020, up from 55% in 2019. Alarmingly, more than 1 in 10 users clicked on a simulated phishing email.
Celebrating week #2 of the Cybersecurity Awareness Month under the theme “Phight the Phish!”, we share tips on how to spot malicious emails to prevent phishing, ransomware, and other malware attacks in the business network.
Over the last year, there has been a surge in coronavirus-themed phishing scams and ransomware attacks. At the same time, information security professionals have struggled to keep their users secure amid an abrupt shift to remote work due to the pandemic.
Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. We’ve seen phishing campaigns pretending to come from nearly everything from Netflix and Instagram to the IRS.
Email is not the only medium phishers use —vishing involves video calls and landline telephone calls; and smishing involves text messages. The point remains: attackers will request personal information such as account numbers, passwords, or Social Security numbers by any means and with any pretext.
This also applies to the work environment. Spear phishing, whaling, and business email compromise (BEC) are other forms of phishing targeted at specific and narrower audiences. These types of attacks reach fewer people, but their level of focus and sophistication make them more difficult for users to spot and for technical tools to block.
65% of organizations faced BEC attempts in 2020, with campaigns trying to lure them into executing “urgent” wire transfers or paying fake invoices that pretend to come from a trusted provider.
Attackers are adept at researching and targeting specific roles and people, which means these techniques should remain firmly on everyone’s radar.
CISA and the NCSA have put together the following tips to prevent phishing at home and in the workplace.
Links in email and online posts are the most common conduit for cybercriminals. If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments.
Be cautious of generic greetings such as “Hello Bank Customer,” as these are often signs of phishing attempts. If you are concerned about the legitimacy of an email, call the company directly.
Be wary of communications that implore you to act immediately. Many phishing emails create a sense of urgency, trying to make you think your account or information is in jeopardy. If you are prompted to do something urgently, reach out to that person or entity directly to verify the request.
If people contacting you have key details from your life—your job title, multiple email addresses, full name, and more that you may have published online somewhere—they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.
Avoid clicking on hyperlinks in emails and hover over links to verify their authenticity. Also ensure that URLs begin with “https.” The “s” indicates encryption is enabled to protect users’ information.
If multi-factor authentication (MFA) is an option, make sure to enable it. That way, you’ll be the only person who has access to your account. Use it for email, banking, social media, and any other service that requires logging in. You can associate a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
Consider using the longest password or passphrase permissible. Get creative and customize them for different sites, which can prevent cyber criminals from gaining access to multiple accounts in the event of a breach.
No need to memorize your strong passwords and passphrases: Use password managers to generate and store them.
Make sure all of your computers, Internet of Things (IoT) devices, mobile phones, and tablets are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
Rising regulatory pressure is coupled by increasing third party risks, and your organization needs to extend cyber hygiene practices beyond its own perimeter.
This strategy guide explains how to sustain a secure vendor ecosystem by solving security and compliance problems for enterprises and third party vendors.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|