Is your agency susceptible to phishing?
The answer is yes, your agency is indeed susceptible to phishing. Every organization that employs humans is. Even large firms, governmental organizations and security firms have been tricked. The primary vector for phishing is email and security experts say that about 30% of phishing emails get opened.
What is phishing, exactly? Security expert Sophos offers this definition: "Phishing is the word used when a cybercriminal sends you some sort of electronic message to trick you into doing something insecure."
There are many variations of phishing, but here are the most common:
General phishing emails are mass emails spoofed to look like legitimate organizations that trick the user into clicking on a bad link or transmitting confidential information. They might spoof a credit card, a bank, an insurer or the IRS, for example. The emails usually have a sense of urgency. And make no mistake - these spoofs can be fairly sophisticated in their mimicry.
Spear phishing is more targeted, either to an individual or an organization. It might be a message aimed at all employees of one company, spoofing the company president; or an email targeting all HR people, or all employees of a certain industry. Spear phishers generally have more information about their targets.
Whale phishing - also sometimes called executive phishing - is more targeted still. It is aimed at the CEO, CFO or other top-tier organizational executives. Generally, the criminal behind the phish has researched some information on the target to make the pitch more convincing.
There are other forms of phishing - "smishing" through SMS or text messaging or "vishing" through voice mail. Phishing can also happen through social media and similar techniques occur via phone. Some phone phishers can spoof the caller information that you see in your caller ID. Common phone phishers pose as the IRS to get you to send money or Microsoft tech support to get you to update your computer.
Malwarebytes, experts in advanced malware protection, recently posted a very useful article about how to detect phishing attempts. The article talks about the various types of scams. We found one of the most useful parts of the article to be the section about "Something's Phishy If" which offers excellent warning signs. We are excerpting the main points, but it is worth a read in full.
Something’s phishy if:
Other good advice and resources can be found at the Anti-Phishing Working Group’s (APWG) site. The following tips are excerpted from their consumer guide on how to avoid phishing scams:
- The email, text, or voicemail is requesting that you update/fill in personal information.
- The URL shown on the email and the URL that displays when you hover over the link are different from one another.
- The “From” address is an imitation of a legitimate address, especially from a business.
- The formatting and design are different from what you usually receive from an organization.
- The content is badly written.
- Speaking of content, a phishing email almost always sounds desperate.
- The email contains attachments from unknown sources that you were not expecting.
- The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL.
- Be suspicious of any email with urgent requests for personal financial information
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic – call the company on the telephone, or log onto the website directly by typing in the Web address in your browser
- Avoid filling out forms in email messages that ask for personal financial information – you should only communicate information such as credit card numbers or account information via a secure website or the telephone
- Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
- Regularly log into your online accounts to ensure that all transactions are legitimate
- Ensure that your browser is up to date and security patches applied
- Always report “phishing” or “spoofed” e-mails to the following groups: forward the email to firstname.lastname@example.org; forward the email to the Federal Trade Commission at email@example.com; when forwarding spoofed messages, always include the entire original email with its original header information intact
We'd add another. Train your employees and regularly raise awareness about email safe practices.
Think you can avoid being a target? Here are some phishing quizzes that you and your employees can take.