What is Phishing?
One of the most common and difficult-to-spot strategies hackers use is phishing scams, which require minimal technical know-how and can be deployed from anywhere in the world via a simple email.
Phishing is a general term that refers to any cyber-attack where a hacker disguises themselves as a trusted source in order to acquire sensitive information. Typically, under traditional phishing attacks, hackers send fraudulent, malicious emails to as many people as possible. It’s not unusual for phishing attacks to target thousands of individuals at once in the hopes of netting just a few victims.
Phishing attacks take a quantity over quality approach. Despite the randomness of the attacks, phishers can gain highly sought information on their victims through mass, easy-to-reproduce emails. The goal of these emails is to compromise data or a larger network through the greatest cyber security vulnerability of all—users themselves. Effectively, instead of going through the hassle of breaking strong, digital defenses, hackers use phishing attacks to trick someone into giving them access to a network or data.
To fool the victims, attackers customize phishing emails to make them appear legitimate, sometimes using logos or dummy email accounts to improve the effectiveness of the attack. Usually, phishers will pretend to be a trusted source, like a hospital, bank or employer. The phishing message will likely include alarming or suggestive language to fool victims into:
- Clicking a link
- Opening a document
- Installing software (e.g., malware or keyloggers)
- Entering their username and password into a website that’s created to look legitimate
If a victim does any of the above, the hacker can infect their computer and steal sensitive information, often without having to use a single line of code. With phishing attacks, even the most top-of-the-line firewall can’t stop an individual from clicking on a malware-loaded email. And, once a single computer gets infected, the malware can spread throughout an entire network.
- Individuals: are the easiest to compromise and the most susceptible to phishing attacks because they have a great deal of personal data (such as social security numbers, banking information or login credentials) for hackers to access in order to steal money or identities.
- Employers: are targeted when cyber attackers create convincing emails to fool employees by incorporating job responsibilities, company details and coworkers names to access company systems thus putting a business’s financial information, trade secrets, confidential documents or network at risk.
Ways to Avoid Phishing Schemes
- Be overly cautious of suspicious emails (deleting them immediately) that:
- Come from unrecognized senders
- Ask you to confirm personal or financial information
- Aren’t personalized
- Are vague
- Include threating, frightening and persuasive language
- Never enter personal information or click links in a pop-up screen.
- Avoid emailing personal or financial information, even if you think you know the sender.
- Hover over and triple-check the address of any links before you click them.
- Avoid replying to the sender if you suspect an email is malicious. If you recognize the individual or company sending the suspicious email, follow up with them offline to ensure they meant to contact you.
- Report the attack to your employer and the FBI’s Internet Crime Complaint Center.
- Verify a website’s security. Legitimate websites will have a URL that begins with https, and you should see a closed lock icon somewhere near the address bar.
- Review your online accounts regularly and use different passwords for each one. Most importantly, review your bank and credit card statements to ensure that all transactions are authorized.
- Keep your browser up to date and use firewalls.
- Run anti-virus and anti-malware software on a regular basis. Reputable venders include McAfee, Symantec, Malwarebytes and Avast.
Additional Considerations for Employers
- Implement a data protection program. Train employees on common phishing scams and other cyber security concerns. Provide real-world examples during training to help them better understand what to look for.
- Segment networks if possible, keeping sensitive information separate. This can help prevent the loss of an entire network should one employee fall victim to a phishing attack.
- Filter emails and websites.
- Have employees use unique usernames and passwords. In instances where employees share credentials, hackers can cause major damage to your business simply by compromising one employee.