Although there are numerous types of phishing strategies, email phishing has proven year over year to be the most effective method attackers are gaining unauthorized access into your systems.
What exactly is email phishing?
Phishing is a type of social engineering attack often used to steal user data such as login credentials (usernames and passwords). It occurs when an attacker, disguising themselves as a trusted entity such as UPS or the IRS, tricks a victim into opening an email. Similar phishing attempts can be delivered through instant messages or text messages.
The recipient is then directed to click a malicious link or open an attachment, which can lead to the installation of malware or disclosure of account credentials. After an attacker has gained access to your account, they then start sending email as you, further propagating malware, only this time the source isn’t fake, it comes from a legitimate contact, you!
An attack can have devastating results. For individuals, this includes unauthorized purchases, direct financial loss, or identify theft. For business, it can lead to a major disruption in business operations, as is the case with ransomware, or financial loss through illegal EFT transactions via executive impersonation.
Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam.
Does the email contain a link? DON’T CLICK IT!
Did your parents tell you to not take candy from a stranger? The same thing applies when it comes to unknown email addresses and links! Links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains.
Read over the links carefully. If the email appears to come from a trusted source, call them to verify before accessing the email. Educate your staff and peers on these potential email threats!
How do you prevent phishing?
Phishing attack protection requires steps to be taken by both users and enterprises.
For users, caution is key. A spoofed message often contains subtle mistakes that expose the true identity. Users should also stop and think about why they’re even receiving such an email.
For the enterprise, providing your employees with the skills to recognize a potentially dangerous email is critical, and not as hard as it once was. There are many options for security awareness training such as KnowBe4. KnowBe4 is the world’s most popular integrated platform for security awareness training combined with simulated phishing attacks!
Another key security control is Multi-factor authentication. MFA is the most effective method for countering unauthorized access and sensitive data disclosure, as it adds an extra verification layer when logging in to sensitive applications. MFA relies on users having two things: something they know, such as a password and username, and something they have, such as their smartphones. Even when employees are compromised, MFA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
Interested in learning more about phishing? Or how to educate your staff on identifying phishing campaigns? Contact us at info@icsnewyork.com