October 1st marks the beginning of the 18th annual Cybersecurity Awareness Month. Once again, the Federal Cybersecurity Information Security Officer (CISO) Council is proud to reinforce its commitment to safe and secure online behavior. Remote work continues to be the ‘new normal’, and cybercriminals are ramping up their focus on this expanded attack surface. Phishing attacks have been on the rise for decades and cybercriminals Phishing attacks have been on the rise for decades and cybercriminals seek to take advantage of weary workers. This method of attack continues to be one of the most dangerous threats to an organization because it is the easiest way to deliver malicious or weaponized payloads.
An organization’s first line of defense against phishing is training and awareness. Train, exercise, assess, and re-train is the best way to improve the workforces’ ability to identify, understand, and prevent phishing attacks. With that in mind, here are a few tips to Fight the Phish!
Spear Phishing targets specific users by researching personal and publicly available information.
- Secure personal information online by setting social media accounts to private.
- Recall if you have received similar communication from the sender in the past.
Whale Phishing targets executives and other high-profile users. Social-engineering tactics trick users into initiating financial transactions or divulging sensitive information.
- Check privacy settings on social media and be careful what is shared.
- Vigilance is important since these attacks are harder to detect. The reliance is on social engineering to trick targeted users. Attacks do not always contain a malicious file or link.
Deceptive Phishing disguises as a credible sender and imitates a legitimate source to steal personal data.
- Inspect URLs to identify redirection to unknown or suspicious websites.
- Review sender’s email address for unfamiliar, misspelled, or odd domain names.
Clone Phishing resends a near-identical email to a user and replaces a valid link/attachment with a malicious version.
- Verify the legitimacy of identical emails received by contacting the sender via phone.
- Compare email with the original version to identify differences in link address or attachment size.
Angler Phishing masquerades as a social media customer service representative notifying a user of account issues while seeking to gain unauthorized access to credentials.
- Research the customer service account to ensure it is a valid account belonging to the social media platform.
- Contact the social media’s customer service department directly to verify the validity of the issue.
Vishing & Smishing imitates a known company and contacts users via call or text in an attempt to steal sensitive information.
- Beware of false claims or frequent name dropping of colleagues that tie the attacker to your organization.
- Recognize pushy and “too-good-to-be-true” offers like “act fast” and “sign up now.”
As you can see, there are a lot of fishy phish out there ready to attack if you let down your guard. Attackers are quite skilled at adapting their techniques to situations. They make it difficult to discern whether the content is genuine or a potential threat. Take a moment to think about what you have learned and share this information with your colleagues, family, and friends. Cybersecurity awareness is a continuous process.
During Cybersecurity Awareness Month we want to focus on training and education that enables everyone to do their part to be cyber smart!