Back to Basics, Cybersecurity

Back to Basics: Understanding Phishing

Back to Basics is a new article series highlighting important, but possibly overlooked, information that security professionals should know.

All businesses need to take steps to understand and combat shoplifting, including security professionals. While most shoplifting deals with people taking merchandise, phishing is a cybercrime in which information is stolen through deceit, which is used by criminals to commit identity theft and financial loss. Professionals should understand not only the different types of phishing, but also how to educate their users and protect company resources from being attacked.

Criminals pose as a legitimate company or organization to get this information. They do this in several ways, including:

  • E-mail
  • Telephone
  • Text messages
  • Social media platforms like Facebook and Twitter

The Federal Trade Commission (FTC), the U.S. consumer protection agency, reports that thousands of phishing attempts happen every day, and many are successful. Security professionals should educate themselves and their users on the ways phishing can be used to trick them.

Types of Phishing

Spear Phishing

Spear phishing focuses on specific individuals and organizations and is a targeted attempt to steal sensitive information, with the information being obtained through social media and company website research. An example is a personalized e-mail with a link that, once clicked, downloads malware.

Malware is short for “malicious software” and includes:

  • Viruses—codes in a document or file that support macros, also known as programming scripts, which can affect, corrupt, or destroy data
  • Spyware—gathers sensitive information like a keylogger, a program used to record keystrokes for passwords, and sends it to a third party
  • Ransomware—gains access to sensitive information, which is encrypted, or locked, by the criminal, who demands that the victim pay money to get it back unencrypted
  • Adware—advertisement-supported software that collects computer usage data and can redirect browsers to unsafe websites and contain spyware

Vishing

Vishing, also called voice phishing, utilizes:

  • Telephone—a live person or recorded message
  • Voice e-mail—a voice message using e-mail
  • Voice Over Internet Protocol (VOIP)—telephone calls over the Internet

A spoofed, or fake, caller ID is used so it looks like the person is calling from a legitimate company. These calls, according to the Federal Bureau of Investigation (FBI), are impossible to trace. An example of vishing is someone leaving a message on your voicemail stating there’s a problem with your bank account and asking you to call back to verify information.

Whaling

Whaling, also called Business E-Mail Compromise (BEC), is a sophisticated type of phishing that attempts to get sensitive information from company senior executives by e-mail using targeted information about an individual or the company. An example is an e-mail requesting permission to transfer funds between accounts.

Smishing

Smishing uses SMS, also known as text messages. An example is someone who receives a deceptive text with a Web link that asks for personal information. The U.S. Postal Inspection Service writes that shipping update texts the service sends do not include links, and urges people not to click on any text message links.

Clone Phishing

In clone phishing, attackers copy existing e-mails to make victims think they came from trusted friends or colleagues. For example, criminals might resend legitimate e-mails that had attachments or a link. Before they resend the e-mails, they write in the e-mails that they are an update and replace the attachments or links with ransomware or viruses.

Pharming

In pharming, malicious code is downloaded that redirects users who are attempting to visit a specific website to a fake one. According to the FBI, this is done by criminals who download malware on victims’ computers that changes their Domain Name System (DNS) server settings to replace good servers with bad ones. The department reports that malware could attempt to access all devices on a victim’s small office/home office (SOHO) network, which poses a risk to many businesses today, as more are working from home using company computers.

Ways to Spot Phishing

Cybersecurity professionals should remind users there are several ways to spot phishing attempts. The FBI says to watch out for:

  • Spoofing—an e-mail address, a sender name, a phone number, or a website URL changed by one letter, number, or symbol to look like a legitimate source
  • Requests for usernames and passwords
  • Unexpected correspondence
  • Bad grammar and poor spelling of an e-mail address or an URL, also known as the Web address
  • Request for personal information
  • Use of threatening or urgent language

If users accidently click on a suspicious link, they should:

  • Not enter personal information, and disconnect from the network.
    • Use antivirus software to scan the computer.
    • Notify their IT help desk immediately so the computer can be evaluated and quarantined.
    • Monitor their bank accounts, credit profile, and other online accounts for any irregularities if they gave personal information.
    • Forward the e-mail to companies they do business with that are mentioned in the e-mail.
    • Not reply to spam e-mails.

Are There Preventative Measures?

In addition to being wary of phishing scams, security professionals should ensure their company’s infrastructure and workforce can take steps to improve cybersecurity measures.

Here are five ways security professionals can improve cybersecurity:

  1. Have updated antivirus software, virtual private network (VPN), and firewall protection.
  2. Educate employees regularly.
  3. Keep knowledge of cybersecurity and physical security topics current.
  4. Require strong passwords of at least 12 characters, with a mix of letters and numbers.
  5. Enable multifactor authentication (MFA) for all accounts by requiring users to provide:
    1. A password or PIN
    2. A badge or smartphone (i.e., texting a code)
    3. A biometric, such as a fingerprint or face recognition

Security professionals seeking more information on how to protect their company’s assets should consult the FTC’s “Data Breach Response: A Guide for Business.”