Authored by: Mohan Areti and Danny Walker
As more organizations harness the power of big data and data analytics, the collection and storage of data puts organizations at great risk of cyber-attacks. Any collection of sensitive data and PII (Personally Identifiable Information) by you or your company could make you prime targets for cybersecurity attacks. Attackers are looking to steal sensitive information (SSNs, Bank Account Numbers, or Credit Card Details) or any other non-public information.
One of the most common and effective attacks, being deployed against organizations of all sizes across all industries is phishing. Phishing is an attempt to access non-public or sensitive information through a disguised communication that appears to be from a known or reputable source (e.g. your organization’s IT department, commonly used services such as Amazon, Netflix, or FedEx.). Sophisticated attacks will even mimic your business associates or coworkers, often times requesting you to do a simple task such as review a document or check your password security. Phishing attacks generally ask the user to click on a link or attachment, at which point malware (or other software) is installed on the computer, giving the attackers a pathway to access non-public data or obtain browser information.
Types of Phishing Attacks
There are several types of phishing attacks that are currently being used to gain unauthorized access to non-public data and/or systems. Being aware of these different types can help you and your organization best protect assets and identify an attack before it harms your company:
- Deceptive phishing: Impostors mimic a legitimate internal contacts (IT departments or coworkers) or other legitimate companies (Amazon, Visa, FedEx) to make the user open a file or attachment without thinking twice about it.
- Malware-Based phishing: Distributing malwares as attachments using phishing emails. Usually malicious programs baked into pdf and word documents. You won’t know this Malware exists when you open the document.
- Key loggers and screen loggers: Records all user activity by tracking keystrokes and screenshots of the user.
- Session hijacking: Exploits compromised internet browser security, allowing the attacker able to steal cookies and active session information.
- DNS-Based phishing: By hijacking the DNS (Domain Name System), web requests are redirected to phishing websites, which seems to be identical to the actual website.
- Spear phishing: Phishing attacks designed to target specific groups of users (products, employees of company, or users groups).
- Whaling: Phishing attacks specifically targeting senior executives and board members to attain special access or sensitive information.
Phishing Prevention: How Can Your Company or Organization Avoid Becoming a Victim?
Employees are the biggest cybersecurity risk to your organization, and frankly, all of the investments made by your IT department cannot stop an attack initiated when an employee clicks on the wrong link.
Ways to avoid becoming a victim of a phishing attack include:
- Educate your team: conduct security training for all employees as vigilant employees are the best weapon against a phishing attack.
- Deploy Social engineering services: social engineering is a “fake” phishing campaign conducted by a third party that mirrors what a real phishing campaign would look like without compromising your data or system security. You can target certain employees or groups and customize how sophisticated you want the phishing campaign to be.
- Think twice, before you click: Train employees that when they get an email from suspicious sources with web links and downloadable attachments, they should to scan those web links before they click.
- Update your browser, antivirus and firewall: Periodically make updates and maintain latest version of all software and browsers being used.
- Implement security controls: your IT department should install and maintain the most current email filtering software and email encryption.
- Report phishing activity: employees need to be trained to report possible phishing emails to the IT department. We also recommend reporting phishing activities to an outside party, such as the Anti-Phishing Working Group (firstname.lastname@example.org), which consists of a group of ISPs, security vendors, financial institutions, public and private organizations and law enforcement agencies. They use these reported emails to analyze the attacks and to design preventive controls.
There is Little to No Doubt that Your Company Will be Phished
You and your organization will be attacked. There is no way to avoid it. However, there are ways to avoid becoming the victim of a successful attack to be successful. Educating yourself and your employees is the best way to stop a phishing attack in its tracks. Social Engineering services, vulnerability and penetration testing, and overall IT risk assessments can help prepare your organization to successfully handle an attack.
If your company is concerned about phishing prevention or cybersecurity, call Dave Hansen (585) 360-1481 or Danny Walker (716) 362-6274.