Levi, Ray & Shoup, Inc.

Understanding phishing and reducing your risk

3/9/2020 by Chris Hill

By Chris Hill

Organizations today must continually be on guard for cyber attacks. IT departments establish cybersecurity protocols to protect against a breach of data or services. But what if a hacker could convince someone on the inside to “open the door” to their network? While it may seem unlikely, that is one of the most common cyber threats we face today.

Consider this scenario:

Let’s say you are going through your email inbox. You know to avoid the spam that has managed to seep through the filter and begin answering valid work correspondences. One email is from an important client who emailed a purchasing request for one of your services, attached to this email is an invoice. What you might not realize is that although it appears familiar, this email has been spoofed. It was created by a hacker across the world through observing the interactions between you and your client. The hacker created the fake email and attached a malicious file that would enable him to obtain access to your computer.

This email scam is just one example of a phishing attack. Phishing (pronounced “fishing”) employs emails, SMS messages, or phone calls to either obtain a person’s personal information or to install malicious software on their device. These messages serve as a digital Trojan horse that conceals the threat from the user in hopes that they will be allowed access by the user. The scams can vary from targeted actions against a specific individual to a general phishing expedition on a multitude of users.

Goal of Phishing Attacks

Some cyber criminals seek the personal information itself. They might spoof a website or create a phony request for information that will collect the information you input to steal your account, identity, or finances. This personal information can include usernames and passwords, social security numbers, bank accounts, credit card information, and tax records. Other criminals might be targeting access to your computer or network and will attach harmful software to the email. If the software runs, the criminal could cause damage to your organization’s data and network.

Phishing’s effectiveness lies in that the attacks incorporate a two-pronged strategy. First, they employ malicious programming, phony websites, or another technical method of compromising network security. Some of these methods can be blocked through different cybersecurity protocols, but many are disguised to fool the filter into thinking that they are legitimate websites or data files.

Next, the threat exploits the human factor of your organization to grant the criminal access: essentially looking for a person who is willing to let the drawbridge to the fortress down. They are designed to either convince the target of their authenticity or to elicit an emotional response that might blind the user to possible warning signs.

Type of Phishing Emails

The specific type of phishing emails can vary, but here are few tactics that are commonly used:

  • Emails from someone you know: We might assume that the email has come from a coworker, friend, or employee and ignore warning signs that might arouse suspicion. Watch for anything that seems out of character.
  • Emails from client businesses: These follow a similar tactic. Be cautious if the email makes an unusual request, includes a suspicious link or file, or uses odd language.
  • Email disguised as trusted websites or organizations: These emails can be disguised with imitation logos to create the impression that the email if from Netflix, the IRS, PayPal, or any other site you can imagine.
  • Emails that elicit an instinctual response: These emails have a shock value that creates a sense of urgency. The reader then begins to act quickly without stopping to evaluate the email. Some emails are obvious to avoid, like “Click here to claim your cash reward!” But also watch for emails like “Your account cannot be verified” or “View your shipment tracking information here”.

Warning Signs of Phishing

If these scams can be disguised as nearly anything, how can users possibly recognize them? Here are a few possible warning signs:

  • Poor spelling or grammar: Though these errors can be overlooked in a quick scan of the email, they can be a prominent red flag. Few legitimate organizations or individuals would greenlight an unproofed email. Would you expect Google to send a request for “emale varifaction”?
  • Look for an icon of a small lock in the URL: If it is not there, you could be using an unsecured or phony site.
  • An email that seems excessively urgent or contains threats or incredible deals.
  • A modified URL: This could be a variation of spelling, a different address entirely that seems legitimate, or a different domain.
  • Attachments to an email: Ask yourself if you are expecting a file from that person. Do not open files from people or businesses you do not know.

What to Do if Phishing Occurs

You should report the suspected attack to your organization’s IT department. They can ensure that other users are watching for similar emails and prepare to contain any possible breach that may result. If you have questions concerning the authenticity of an email, never hesitate to verify it with the sender through another medium. Call, text, or compose a new email to the person the email is from and ask if they sent the email and if they attached any files to it. Never reply directly to the email in case it is malicious. If you are suspicious and cannot verify the email’s authenticity, delete it. Do not risk compromising your own identity or financials on a suspicious email.

Building a “No Phishing” Workplace

In our fast-paced world, the best thing you can do is to stop and think before clicking on something. If in doubt, delete. It is impossible to tell someone exactly how to detect or avoid these scams because tactics and tricks change every day and look increasingly realistic.

An efficient and robust cybersecurity strategy implemented by your organization’s IT department is your first line of defense. Learn all you can from IT security professionals about possible applications, programs, and technical controls that can filter possible threats from entering your employees’ inboxes.

Phishing threats do not rest solely in their technical capabilities, but also in the human factor that they attempt to leverage. Infected emails may still enter through secure filters. In addition to the implementation of network security, it is also recommended to provide access to cyber security awareness training for your employees so that they can learn the warning signs and dangers of phishing attacks. This will reduce the impact of threats upon your organization’s infrastructure and will also help your employees protect data and information in their own personal lives.

About the author

Chris Hill serves as our Security Practice Leader. Chris has more than 24 years of business and professional expe in IT and holds a Bachelor of Science degree in Electrical and Electronics Engineering.