Phishing; you need to be aware
Excerpts of this article are from “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud”, An Osterman Research White Paper Published April 2018
Phishing is one of the most popular ways in which to compromise a person’s or an organization’s data and can lead to additional harm to both. Organizations have been victimized by a wide range of threats and exploits, most notably phishing attacks that have leaked sensitive or confidential information accidentally through email.
When you receive an email asking you to verify your user ID and password, or other sensitive information—this may be a phishing attack. DO NOT RESPOND. Email of this type can be very deceiving and oh so realistic looking, but the reality is that you should never respond to such requests from email for information such as:
- User ID’s
- Passwords
- Debit or Credit Card numbers
- Social Security Number, or the last 4 digits of your SSN
- Expiration dates of your cards
- CVV code on the back of your cards
- Address
- PIN
- Account Numbers
- Secure Access Codes
If you receive such a request via email, do not respond. Contact the IT department. We can help identify whether this is in fact a phishing scam. Our Helpdesk number is 4500, or email This email address is being protected from spambots. You need JavaScript enabled to view it.
Threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social engineering attacks.
ISSUES THAT CONCERN DECISION MAKERS MOST
There are several cybersecurity issues that IT decision makers are concerned about. As shown in Figure 1, four of the top five issues of concern are focused on email as a key threat: phishing, malware infiltration and spearphishing. Spearphishing is like phishing but attempts to target specific individuals within an organization. Additionally, a few other cybersecurity threats are also of concern, including malware infiltration through Web browsing, data breaches, and account takeover-based email attacks.
©2018 Osterman Research, Inc.
Figure 1 Security Issues That Concern Organizations Most Percentage Responding a “Concern” or “Major Concern”
THREATS ARE BECOMING MORE SOPHISTICATED
Phishing, spearphishing and other threats have become more sophisticated over time. From the relatively crude phishing attempts that tried to trick gullible users into clicking on a malicious link or open a malicious attachment, there has evolved sophisticated CEO Fraud/BEC attacks in which hackers will infiltrate an organization’s network, study their business processes, and then launch attacks aimed at specific senior executives. For example, a cybercriminal can infiltrate a corporate network undetected; search for things like wire transfer timing, amounts of these transfers and their recipients; executives’ travel schedules; etc. and then craft a whaling attempt against a CFO with the goal of tricking him or her into transferring a large sum directly to the cybercriminal. These types of malware-less threats are becoming more common and are more difficult to detect using conventional security technologies.
USERS ARE A WEAK LINK IN THE SECURITY CHAIN
A key problem with cybersecurity – and an important reason that these attacks are successful – is the victims themselves. A large proportion of users are not properly trained about how to recognize threats like phishing, spearphishing, CEO Fraud/BEC, or ransomware attempts, and so they commonly fall for attacks by clicking on links or opening attachments in emails without thinking about the potential for harm that can result.
Please direct any questions or comments about any of these articles to your IT team.
Chris Glase
