Phishing

Phishing is one of those words that sounds fun, but is actually pretty sinister. In short, it is a social-engineering practice where a victim is sent correspondence (usually via email) to convince them to provide valuable information such as bank details, card numbers or other sensitive information. As its name suggests, a phisher’s goal is to get you (the ‘phish’) to bite, by luring them into their scams. This is often done by impersonating a reputable body and utilising various techniques to convince the victim that they are legitimate.

For example, an individual may receive an email from their energy provider inviting them to register with their site to receive a discount. The recipient sees that the format matches the layout of previous correspondence, clicks the available hyperlink and ends up on a webpage that allows them to leave their data and avail of the offer.

Little do they know, the email was a fake and the link was designed to take the individual to a site which fully replicates the look and feel of the original. This site can then capture any personal information and in some instances it even invites the user (or ‘phish’) to download a file which contains embedded malware. In one fell swoop you have handed over your personal data, and corrupted your computer’s hard drive.

The food news is that attacks like this can be prevented and, currently, phishing attacks can be bracketed into just three distinct types:
  1. Clone Phishing:This is where the phisher replicates the layout of an existing email and replaces the innocuous content with a malicious version of the file or document. This often appears as part of a chain of correspondence that is already taking place, so the subject bar may begin with a ‘Re:’ or a ‘Fwd:’.
  2. Spear Phishing:Here, the phishing attack is much more targeted. Before sending the email, these phishers will gather more personal information about their victim so that they can make their email look more accurate and therefore believable., This may include your home address, business details or even family names.
  3. Whaling:Characterised as an attempt to ‘land the big fish’, these emails will have language that is tailored towards the upper management. In escalating the issue, it is then hoped that any due process or common checks will be bypassed in order to resolve the reported problem.
When it comes to phishing and network security, knowing the signs is often half the battle. Here are a few tips for avoiding and combatting the phishers...

Forewarned is forearmed: Ensure that all staff are fully briefed and made aware of the risks inherent to any work they are undertaking. Briefing them on the principles of ‘phishing’ and make sure they are aware of the how phishing is commonly carried out and making them familiar with any previous samples received can help raise awareness of common tricks and traps.

Get the basics in place: Though it sounds simple, ensuring that your company’s spam filter is fully in place and running correctly will help prevent the content from reaching staff in the first place. Once up and running, a regular review will allow you to make any adjustments necessary to make sure that no genuine emails are being turned away.

Encryption: It is best practice to ensure that all sensitive information stored on your system or to be passed through email is thoroughly encrypted.

Close the backdoors: If your internal service allows HTML email, ensure this is not used.

Keep yourself to yourself: As phishing is carried out primarily online through your email service, always refrain from entering sensitive information on your correspondence and if you do, make sure that you trust the source.

Password protection: It should go without saying that using the same password for each site is an absolute no-go.

Hyperlinks: Before clicking on a hyperlink, hover the cursor over the top of them to reveal the site that they are actually sending you to. If it looks ‘phishy’, don’t click it.

Along with staff training, there are many companies that provide anti-phishing services and tools to help employees and system users to identify malicious emails or correspondence. These range from analysis on how data is stolen, how lost data could be recovered and regular scans and reports on public machines to confirm they are free of malware. This may seem like a time-consuming task, but bear in mind that you can perform malware scans during the computer’s down time, or in the background while you are working on something else. By making that little extra effort, you could avoid the inconvenience (and embarrassment) of becoming a victim of phishing.

Read more about phishing in this section.

No posts to display