How to Avoid Being Duped by a Phishing Attack
The Q2 2015 Cyber Threat Report from cybersecurity firm CYREN reveals that phishing attacks increased 38 percent overall during second quarter. Phishing is a technique used by criminals to bait you into sharing sensitive corporate or personal information. Usernames and passwords, financial account information, social security numbers and basic contact information are the most common targets of phishing attacks. Consumers with PayPal, Apple and Gmail accounts are frequent victims of phishing.
Phishers mimic the logos and websites of legitimate organizations, and pose as friends, business partners, clients, bank officials or IT staff. They hook their targets by fooling people into clicking malicious links or opening attachments that automatically engage and activate viruses and malware. Then, these criminals can use these compromised accounts to spread the misery to others.
Common phishing scams include:
- Phony requests to verify bank account or billing information
- Phony alerts of stolen credit cards or overdue payments
- Phony e-cards
- Phony job listings
- Phony prize-winning notifications
- Phony charities or political campaigns requesting donations
For its Q2 2015 report, CYREN looked beyond these types of attacks to examine phishing campaigns that seek intelligence or financial gain from businesses. The security analysts grouped these sophisticated attacks into two categories:
- Indirect Phishing Attacks. Cybercriminals use a series of phishing attacks to gain the organizational information needed for a broader phishing campaign. For example, an employee using a personal Apple device might be tricked into revealing iTunes credentials, which would give the attacker access to the contact information of other staff. Or by successfully phishing an employee using cloud-based company email (such as Office 365 or branded Gmail accounts), an attacker would gain access to a platform for sending malicious emails that appear safe.
- Direct Phishing Attacks. Cybercriminals use phishing attacks to gain login credentials for actual business systems such as Microsoft Outlook. Because these credentials are frequently used for domain logins as well as email access, this could enable the attacker to access far more than just email. Credentials for cloud-based services such as Dropbox or Salesforce can also provide an attacker with direct access to company data.
There are simple ways to protect yourself and your business:
- Never email personal or financial data. Financial institutions and government agencies will never request this information by email.
- Don’t click links or open attachments from unknown or suspicious senders, and don’t click suspicious links from anyone. Hover over the link to determine exactly where it will take you, or find a phone number directly from the source, not from the email, and verify the contents of the email.
- Educate employees about what types of emails are dangerous.
- Make sure all security software is automatically updated.
- Use centralized management tools for monitoring email threats.
Phishing attacks are reaching epidemic proportions. Make sure your security systems are working properly and your staff is using common sense and extra caution when checking email.