FoxPointe Security Hub

Phishing : Fight the Phish

pci standard

What is Phishing?

Phishing is defined as a form of social engineering that use email or malicious websites to solicit personal information by posing as a trustworthy organization. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing is often in the news, with good reason.  This consistent cyber threat remains one of the major factors in account compromises over the past 12 months.  Phishing relies on social engineering, often using low tech or no tech methods of compromising accounts.  For this reason, technology alone cannot combat a good phishing scam.  Here are a few red flags to look out for and best practices to keep your and your organization’s information safe.

What to Look Out For in a Phishing Campaign

Phishing campaigns vary from quickly composed email messages with poor spelling and grammar to well-crafted messages that mimic official business communications.  It takes a trained eye to spot the red flags. Be wary of an immediate call to action. Your organization has policies and procedures put in place for a reason. Be suspicious of any request asking you to circumvent these polices.

Don’t follow links featuring headlines from natural disasters, celebrity gossip, major sporting events, or global pandemics.  These headlines are often crafted to elicit an emotional response and get users to click on links or open email attachments. True to form, scammers used the COVID-19 pandemic to try to trick users into opening up a fake COVID-19 Dashboard with the intention of installing the AZORult trojan to collect sensitive data.

Phishing Attack: Here Today, Back Tomorrow

Many phishing campaigns are short lived and only mildly successful; however, some phishers utilize a longer-term system called pretexting to increase the likelihood of success.  These criminals create a believable story to encourage building a trust relationship with them.  Over the course of a few communications, the criminal may ask for a money transfer, “assistance” opening an attachment, or private/personal information.  The processes of laying down the initial story help give credibility to the criminal and increase the likelihood of success.

What Can You Do to Protect Yourself from a Phishing Attack?

  • Take your time: If the email is important, it is worth handling correctly.
  • Enable Multifactor Authentication: This helps secure resources when someone falls for a phishing scam.
  • If you notice anything suspicious, report it: If you are unsure, most IT departments can help determine the legitimacy of the email message.
  • If asked to purchase and send a gift card, immediately break off communications: This is never how accounts are paid for.
  • If asked for a wire transfer, Do not send money via wire transfer: Once you send it, the money is gone forever. Your organization already has proper ways to pay legitimate vendors.
  • Never provide personal information such as Social Security numbers, health, or financial information via email: This could allow the criminal to steal your identity and access personal and corporate resources.
  • Don’t trust a link included in an email message: Find an independent way to verify the link, like Google.
  • Don’t trust phone numbers included in an email message: Find a known legitimate number and reach out to the business directly.
  • Do not click on unexpected email attachments: These attachments often contain malware which can compromise you and your organization’s environment.

Phishing is an old trick, but it continues to evolve. Watch out for red flags and report any suspicious messages to the appropriate team in your organization.

FoxPointe Solutions is Here to Help

To learn more about how to protect your business from a ransomware attack and how FoxPointe Solutions can help your organization get started, contact us today.