Phishing Attacks and How to Thwart Them
For twenty years, hackers have tried to breach organization’s networks by finding or breaking holes in the network’s perimeter, or in exposed servers. This led to the cybersecurity industry creating software designed specifically to stop these threat actors in the act. This, in essence, created a situation where the perimeter of an organization’s network was extremely hard to breach. The problem was that as soon as something was able to get through the outer defenses, there was no end to the devastation a hacker could cause inside a network.
This caused a shift in the way that hackers went about their dastardly business. Since they couldn’t gain access the “old-fashioned way” they needed a new strategy. As a result, using the resources at their disposal, hackers began to use people with access to the network to let them in. This strategy, sometimes called social engineering, created deceptions that pulled the wool over user’s eyes and provided exactly what they were looking for: a way in. Today’s hacker has his/her sights firmly targeted on the users of the secure computing network and it is leading to unprecedented levels of devastation for users and businesses, alike.
What Is Phishing?
The strategy is as old as war: if one avenue of attack is blocked, you have to try and attack the flanks. In this case the flanks are the users that have access to a network. You see, users are susceptible to all manner of different ploys. Hackers get them to click on links for free software, they masquerade themselves as people in authority, and they send people direct messages that only the well-trained person would ignore and report. Moreover, some users type their personal access credentials into fraudulent forms. The phishing attack is one part fraudulent ruse, and one part belligerent lack of diligence. Together, these two problems can be trouble for any organization.
A phishing attack can come at any time and can affect any organization. This is because hackers flood email, instant messaging, or any other method of computer-based communication to expose as many people as possible. No matter what industry you work in, there is a very strong chance that your organization is being phished at this very moment. That’s mainly because most phishing messages are sent in mass campaigns designed to flood so many inboxes that the chances that someone makes a mistake is extraordinarily high. In fact, nearly four-out-of-five businesses and nine-of-ten nonprofits have seen phishing emails over the past two calendar years.
What Can We Do?
Unfortunately, if someone makes the grave mistake of falling victim of a phishing attack, you are going to be forced to deal with that situation. If the threat that’s unleashed by a successful phishing attack happens to be ransomware, you’ll have a whole other set of problems on your hands. These unfortunate scenarios don’t have to happen, however, as a companywide strategy to protect against phishing can work to reduce the chances that malware ravages their network.
So, how do you go about strategizing the changes you have to make, exactly? The first thing you have to do is identify where your business is getting spammed. Is it through email? Social media? Instant messaging? Truth is, that your business probably deals with all manners of phishing attacks, but when the downtime from training approaches the downtime you’ll see as a result of a malware attack, the value of the training may be hard to swallow. As a result, when you begin to outline a strategy that will keep these annoying and possibly-disastrous attacks at bay, you’ll definitely want to identify exactly what information you absolutely need your staff to know.
Once that is done. You can start training your staff. Here are some pointers:
- Hackers that deploy phishing attacks are suckers for the dramatic. They typically including upsetting or exciting statements to emotionally connect with a victim. This gets the victim to react hastily; and, often can get people to hand over their usernames, passwords, personal financial information, social security numbers, and a lot of other sensitive personal information. You’ll want to teach your employees to avoid clicking on links inside emails.
- It’s not really a surprise that a lot of people share a lot of information online. If they are like many of us, they spend a lot of time there. It’s easy to forget that the Internet is a much more dangerous place than the street. Generally, people should approach sharing ANY personal information over the Internet with a heavy dose of skepticism. You’ll want to teach your staff to be suspicious of any email or message that comes from people they don’t know, or that demand their immediate attention. Everyone knows that if someone wants something done immediately, it will come from someone the person knows; and that they’ll very likely get some type of direct correspondence with very specific instructions. All other messages are probably spam. You may also want to mention that they shouldn’t ever provide sensitive information in an email. While this will absolutely help them avoid getting phished, it will also go a long way toward keeping their personal information as secure as possible.
- The prominence of e-commerce and online marketing has made it so most people are inundated with situations where they could buy something online instead of going out to a specialty store to get the good or service. One problem with this is that all the information that the seller collects on you is then theirs. This is all personal information that needs to be secured away from access to the masses. Be sure that you teach your employees to only utilize secure connections and websites to provide information. You can tell a website is properly secure when the protocol bar reads “https:/…” The “s” stands for secure. Secure connections, on the other hand, are a little more tricky. Asking employees to stay away from public, unsecured networks for banking, shopping, or anything that requires giving over personal information, is a good strategy.
If you touch on these basics, they’ll be more informed, and more apt to keep your business’ information out of the hands of hackers.
Some other tips that you should pass along to your staff include:
- If you double-click the “lock” icon found in the address bar of your browser when visiting secure sites, you can see the website's security certificate. If it doesn’t show or you get a warning that the certificate doesn’t match the site, don’t bother.
- Even though phishing emails are getting more elaborate, the lion’s share of them aren’t personalized at all. Vague messaging asking for action is a huge red flag that you are dealing with a phishing attack.
- Since phishing attacks can use spoofed URLs (or what seem like spoofed URLs) you’ll want to authenticate that any message that looks legitimate, is, before clicking on any link or opening any extension.
Today, training is mandatory for any business looking to properly secure its network and infrastructure. If you would like more information about phishing, the risks your outfit faces, and any other network security question you may have, contact the IT professionals at First Column IT today at 703-880-6683.