Social Engineering 101: What is Phishing and How do I Prevent It?
What is Phishing?
Phishing is a series of communications that are sent in order to deceive individuals to provide sensitive information. Phishing can take the form of email messages, website forms, or phone calls and can be designed to reveal different information. This information can take the form of:
- Credit card or other financial information
- Social security information
- Account logins and passwords
- Personal Identification Numbers (PINs)
Phishing employs both technical wherewithal and social engineering in order to steal consumer information. Recent phishing attacks have used authorities like Gmail, Netflix and Drobox in order to trick users into inputting their information. More than 400,000 phishing sites were detected per month in 2016, reaching an all-time high.
Preventing Phishing Attacks
Preventing phishing attacks starts with education: the more that we learn about these types of attacks, the better that we are able to prepare employees. Creating a program for your organization to handle these types of attacks is important in preventing vulnerabilities.
- Report Attacks
Organizations should also incorporate a manner for employees to report these attacks. Creating a culture of awareness is one of the best methods in preventing sensitive information from being compromised.
If one individual in your organization receives a phishing attack, but notifies the IT department in order to inform them that an attack is occurring, the attack can be stopped in its tracks before the entire organization is compromised.
- Check the details
Typically, there are a few details that can indicate that an email may not be coming from a legitimate source. These tells include poor spelling and grammar, abnormal sender, and unfamiliar URLs.
- Abnormal requests
Requests for information that the sender should already have should be a red flag. For example, an organization emailing you to login to your account could be a key logging attack that will steal your password.
In a similar vein, account reverifications that require the input of information that you are not anticipating should be observed with caution. Activating two-factor authentication on all accounts can help identify when an email is authentic or a phishing attack.
- Implement policies that prevent attacks
General security policies that can help protect your organization as a whole include
- Only entering information on HTTPS-protected sites
- Utilizing anti-virus software to detect attacks
- Regularly updating and patching systems that could be corrupted
Implementing a strong culture of security, as well as policies that assist in preventing attacks is important in minimizing danger.
Erring on the side of caution is the best method to prevent phishing attacks, and if at any point you are uncertain of the authenticity of a call or email from an individual, contact the organization responsible or your own security professionals in order to assess the authenticity. Regular penetration tests, which can utilize social engineering situations similar to phishing, can help build your security program by identifying areas of weakness.
Is your organization ready to receive a penetration test? Contact the experience penetration testers at A-LIGN at firstname.lastname@example.org or 888-702-5446.