Gone Phishin’ – The Human Element of Security

In the 2017 Symantec Internet Security Threat Report, there was a very noticeable uptick in phishing attacks. Phishing is a type of social engineering that starts with a lie, and uses various methods to get some desired action out of a target. Most of the time, its opening an email attachment, clicking a suspicious link in an email, or sharing personal information, usually with the false premise of some form of reward at the end. The most popular phishing attacks were the famous Nigerian Prince emails, which tricked people into giving an attacker their bank information with the promise of lots of money.

Recently, Gmail was hit with a phishing attack, faking a Google Docs login screen and prompting users to enter their information to access a document. The login screen was completely legitimate, using a Google plugin to use the official login page to take your information. There have also been attacks on LinkedIn, where a user will receive an alert that someone wants to connect with them. They follow the link, enter their login credentials on a spoofed site, and then get dumped onto the real LinkedIn page, completely unaware that their credentials were just stolen.

Recently, targeted phishing attacks have been spreading, where an attacker has a specific target. They collect information on the target and send a crafted email which appears to be legitimate. The most common of these is the CEO fraud, where an attacker sends an email to the IT or Finance department by spoofing the CEO’s email. He will ask for a wire transfer to his personal account for X or Y reason, and in the last 2 years, $5.3 Billion has been swindled.

How do we protect ourselves?

Behind every single email you receive, there could be an attacker waiting on you to click a link.

  • Protect your information
    • Don’t send any information like bank details, birth date, social security, etc. over email. Phone calls or in person are far more secure. If you absolutely need to send information via email, make sure you know exactly who you are sending it to, and create a new email rather than replying to the thread. Try using 2 Factor Authentication to log into sites. This will send you a text message with a code when you need to log into a site. If you get any errant requests, someone has your password.
  • Check the Address
    • Check email addresses for accuracy. A lowercase l looks a lot like an uppercase I when you’re in a hurry. Make sure the name is spelled correctly. An email that looks like random letters and numbers is extremely suspicious.
  • Don’t click on that link
    • In most computers and email clients, hovering your mouse over a link will show you the full address you’re being sent to. If you’re unsure about its authenticity, Google the domain name to be safe.
  • Don’t open that attachment
    • Treat every single attachment you receive as if it was a bomb. Check file sizes, check extensions, open them in safe mode, or forward them to your IT or security team for analysis.
  • Contact IT/Security
    • If you have any doubts, contact your IT or Security team. If you don’t have access to one, send it to me! We are here to protect you! Don’t ever feel like you’re bothering us when you forward us attachments or links that seem suspicious. Its better to be safe than sorry!

It is really easy to fall victim to a well crafted attack, but with awareness, we can all be safe from losing our information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.