The theme of this year’s Cybersecurity Awareness Month theme – “See Yourself in Cyber” – focuses on how both individuals and organizations can better protect themselves from cybercrime. One of the most important steps we can all take is learning to recognize and report phishing attempts.
While phishing attacks are nothing new, the methods used to execute them are constantly evolving. Today, hackers are taking advantage of automation and other advanced techniques to increase the scale of phishing campaigns and better target victims. Regardless of the method, the goals of phishing attacks remain largely the same – to trick individuals into visiting fake websites that harvest the victim’s login credentials and other personal info, transfer money and deliver malware. Information stolen via phishing is often sold on the dark web and/or used by attackers to gain access to network resources or for fraud and identity theft.
Attackers often try to pass themselves off as trusted individuals or organizations. Recently, a new phishing campaign began targeting US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims' devices. And in the last few weeks the Internal Revenue Service (IRS) warned Americans of an exponential rise in IRS-themed text message phishing attacks trying to steal their financial and personal information.
Phishing attacks have also gotten more personalized. Whereas standard phishing entails sending fraudulent emails in mass attacks while posing as a legitimate organization or person, spear phishing attacks target a specific person or organization and tend to be customized and detailed, making them more challenging to detect. Automated phishing tools and programs that cull social media networks and other places on the web where people post personal information are improving and accelerating the intelligence gathering that attackers conduct in order to personalize and target spear phishing. While these sorts of attacks require more effort, they tend to have a higher success rate.
Unfortunately, the reality is that if you’re online, you’re going to be the target of phishing. That’s why it’s so important for every individual user to do their part to stop phishing by being aware of the tell-tale signs of a phishing attempt.
- Keep an eye out for requests from managers or co-workers that seem out of the ordinary.
- Take note of misspellings and poor grammar; that is often an indicator that an email or text is from a bogus source.
- Check the full email address (or phone number) of the sender to ensure the message is from a legitimate source; delete it if it doesn't look right. But also keep in mind that attackers can spoof email addresses if your domain doesn't have the proper protections (like DNS filtering).
- In general, avoid clicking on links in correspondence. But always check the domain before you click to ensure it matches the site you intend to visit. (It’s always safer to type website addresses in manually.)
- Never download files from unfamiliar senders. Seriously, never.
- Forward suspicious emails to your IT or security department for closer inspection.
MSPs and MSSPs can better protect their clients by partnering with WatchGuard to implement hardware and software solutions that automate phishing protection and provide education to end-users in real time. WatchGuard’s Firebox devices and endpoint solutions provide DNS-level protection and content filtering. And if employees click on a malicious link, they can be immediately redirected to resources that provide education about phishing attacks and best practices for prevention. Additionally, WatchGuard’s Unified Security Platform™ provides precise analyses for each blocked attack and delivers it to IT administrators and MSPs for context and internal action.
But for individuals, stopping phishing starts with being vigilant. Above all else, think before you act. One thoughtless click could put your personal information or your company’s critical data at risk. Most phishing emails and messages come with a sense of urgency. Be wary of communications that ask you to act immediately. It's better to be safe than sorry, so slow down and ask for help if you’re not sure if a message is legitimate.
To report phishing attempts, spoofing, or to report that you've been a victim, visit www.ic3.gov to file a complaint. For more information on safeguarding your information, visit the StopRansomware.gov page.