Phishing 101

The Basics of Phishing

Phishing uses the art of deception to get users to divulge sensitive information. An attacker will send emails that seem to be from a legitimate source, like a shipping reminder or bank notification, but is actually from a malicious source attempting to gather sensitive information from you. They're trying to get things like passwords, bank account information, or medical records. In most cases these are sent in bulk email blasts, targeting a wide variety users in the hope that a few will bite.

What Are They Looking For?

The goal when sending phishing emails is the collection of sensitive information - things like bank accounts, usernames and passwords, and even medical or identity information. Hackers can use this information in other attacks, like compromising your accounts, or even just selling it on the dark web.

Common Phishing Techniques

Phishing attacks come in many forms, and here are a few of the top tactics:

Email Phishing

Emails can be sent by the thousands to trick users into clicking malicious links and attachments. These can cause problems like business email compromise and introducing malware or ransomware.

Vishing

Attackers will make phone calls to unsuspecting users, trying to trick them into revealing sensitive company information. These could be as simple as a robocall about your car's extended warranty, or something as targeted as an attacker posing as a loved one needing emergency funds.

Smishing

Text messages containing malicious links can trick users into clicking things they shouldn't, entering credentials into fake websites, or introducing malware onto their devices.

Spear Phishing

Instead of casting a wide net, some phishing attacks are more targeted. These could be focused on a specific business, department, or individual. With prior research, attackers can specially tailor their attacks to give them a better chance of success with specific people or groups.

Link Manipulation & Content Spoofing

Attackers are crafty - they can create fake website domains and webpages that look just like sites you regularly visit. These can trick you into clicking on malware or inputting your credentials into a fake login page. Double check the websites you visit for URL misspellings or slight changes to the usual look of webpages.

Tips on Avoiding a Phishing Fail

We have put together our S.T.E.P. program so that you can take the first step in preventing phishing attacks for you and your organization.

STOP Before You Click

Don't interact with any email until you verify that it's harmless, especially if it has links and attachments. Ask yourself - were you expecting the email? Is it form someone you trust? A quick pause can be all the difference in avoiding a breach.

THINK About the Sender

Check for misspellings or character substitutions in the sender's email address, such as replacing "!" with "i" or the number "0" with the letter "O." If you don't recognize the sender, it's best to avoid clicking any links, opening attachments, or responding.

If it looks like someone you know is being spoofed, try to get in tough with them by other means, like a phone call. It's possible that their email was compromised, so responding to the suspicious email may not be safe.

EXAMINE the Message

Check the email message for misspellings and improper grammar. Hover over clickable links to check the URL destination - does it look legitimate? Be suspicious of attachments, and only open them if you trust the sender. A sense of urgency can also be a sign of phishing.

PROVIDE a Report

If an email looks "phishy" it probably is. With any doubt, show the message to your IT department and get it verified. Make sure you know your IT department's policies so you can properly report phishing emails.