Phishing -- What is it and how can you avoid it?
In case you’re not quite sure what the term “phishing” means in the technology world, now is a good time to learn. Here’s some sobering information:
32% of breaches involve phishing (Verizon Data Breach Investigations Report (DBIR) 2019)
64% of organizations have experienced a phishing attack in the past year (Check Point Research Security Report 2018)
22% of organizations see phishing as their greatest security threat (EY Global Information Security Survey 2018)
59% of phishing attacks in the Americas relate to finance (NTT Security Global Threat Intelligence Report 2018)
On top of these statistics, Covid 19 has upped the game of many bad actors, as they have used the pandemic, with all of its data, funding applications, and confusion in general, to trick people into opening malicious emails and texts.
So, what is Phishing? Wikipedia defines it as the fraudulent attempt to obtain sensitive information, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.
Following is a real-world and unfortunately very common example of a phishing compromise. An Office 365 phishing campaign is sent to ABC Company. The CEO of ABC Company clicks the Office 365 “Suspicious Login” link and gets directed to a fake Office 365 login page, where he enters his credentials. The bad actor now has Office 365 credentials for ABC Company’s CEO, and ABC Company is now compromised. The bad actor logs into the CEO’s email account and starts to investigate company communication and to build an organization chart for the company. Eventually, the bad actor emails ABC Company’s controller from the CEO’s email account, asking to change the account # for a wire transfer and states that it is urgent. Because he’s been watching the CEO’s email activity, the bad actor knows this is a good time to strike. The controller tries to call the CEO, but the CEO is on a 3 ½ hour flight and unavailable. The controller changes the account number for the $120,000 wire transfer, and the money is lost to the bad actor and his bad associates.
This scenario is very common and is also sent using fake FedEx, Google, Zoom, Amazon, and bank entities. These emails look very believable and sometimes even use real log-in pages to make them look even more legitimate. So with the “bad guys” being so good at what they do, what can be done to avoid being “phished”?
There are three common ways to protect yourself and your company from a phishing scheme – enable multi-factor authentication (MFA), create an external email warning, and train yourself and your staff on how to spot malicious emails.
According to the National Institute of Standards and Technology (NIST), MFA is “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.” Many popular business services, such as Office 365, G Suite, Salesforce, and Quickbooks, have MFA built into their services and only need to be activated for your organization.
The second way to help protect from phishing is by setting up an external email warning notice. When this is in place, all emails that originate outside of your organization’s email server will be flagged with a cautionary message. This helps slow down members of your organization, especially in the case of wire transfer and other requests from bad actors posing as company leaders.
By far, training can help prevent many phishing attempts. Simulated Phishing Attacks are phishing campaigns created by an organization’s IT provider/department to see how users in a company are reacting to phishing emails. Based on these campaigns, you can identify those in the organization who tend to click on the suspicious emails, and you can train them to better identify the danger.
The threat is real, but it can be prevented. Sometimes it might feel inconvenient to be required to log in multiple ways to an account or to scroll through an annoying looking external email warning, but it’s important to stay vigilant against phishing and the fraudulent damages it can incur on your organization. As always, Affinity Technology Partners tries to strike a balance between the very real business need of protecting against cybersecurity dangers and the very real business need of getting work done. Give us a call, we’d be happy to help you figure this out for your organization.