Fundamentals of Information Security Awareness

Assuming you have an email account, which in all likelihood you do, it’s basically guaranteed that at some point you’ve received a phishing email. Sometimes generically referred to as just ‘an online scam’, phishing attacks are not always as basic and identifiable as some users may think. What is Phishing In Computer Technology?- It’s very much the number one threat.

Once confined to a small section of society, the ubiquity of online communications, particularly email, has meant this form of information security attack has become incredibly common; as well as being worryingly cheap for attackers to send out millions of fraudulent messages almost instantaneously.

Phishing Defined

Having asked yourself, what is phishing? In computer terminology, phishing is a method by which criminals use fraudulent communications in the hopes of extracting sensitive information from unsuspecting victims, usually by impersonating trusted and authentic organisations.

Depending on the scammer’s objectives, the targeted information can potentially come in the form of relatively innocuous details such as company email addresses, all the way to passwords, credit card details or even bank account numbers. The commonality being these details invariably aid in fraudulently extracting money from victims.

Origination from sometime in the early nineties and coming from the analogy of a fisherman casting a baited line and waiting to reel in the unlucky biters, this type of scam is relatively indiscriminate in its targeting and primarily relies on scale to maximise profits.

More Phishing Terms Explained

Spear Phishing ­– A targeted phishing attack. Whereas a normal phishing attack may be a generic template sent out to millions of addresses, a spear phishing email may be specially crafted for just one important recipient.

CEO Fraud – A form of spear phishing attack by which the attacker impersonates a C-Level executive to give inauthentic instructions (often a bank transfer). This can be achieved through e-mail spoofing or network compromise.

Vishing – A portmanteau of ‘voice’ and ‘phishing’. Relying on an over-the-phone component, this form of fraud and impersonation will likely become more of a threat as deep-fake technologies improve.

Smishing – This time deriving from SMS texts, digital fraudsters may try and acquire sensitive information by posing as banks sending confirmation messages, mobile networks or any party with whom you may share personal details.

How Big of a Threat is Phishing?

It’s estimated that almost 90% of organisations experienced targeted phishing attacks in 2019, and although only a tiny percentage of these phishing emails will have been effective, it only requires one mistake to compromise security and potentially infect an entire network.

The cost of these security attacks continues to grow year on year, and despite this a surprisingly large frequency of organisations wait until an effective attack has already happened before giving many of the fundamentals of information security the attention that they deserve. In fact, research shows that only 33% of businesses have cyber security policies in place.

How to Spot a Phishing Email

When members of a team are asking ‘what is phishing?’ in computer classes or within information security training, one of the first skills training should impart, is how to spot a phishing email.

Although there are many different types, designs and objectives across the spectrum of phishing emails, there are several commonalities that can greatly assist any user in identifying malicious and fraudulent emails.

Attachments

For most business roles, sending and receiving attachments is a daily duty that doesn’t command a great deal of attention. Despite being routine to so many users, it is precisely for this reason that users should be acutely aware of the danger that opening or launching attachments can present.

Though spam filters, firewalls and anti-virus detection should filter out most malicious data, a file name should be inspected and assessed before being opened. Non-sensical or particularly unusual file names should be treated with suspicion, as well as file types.

Many file types can be potentially harmful, yet files ending with ‘.exe’ can be especially dangerous and emails containing these files should likely be reported and deleted. It should also be noted that attackers may attempt to disguise the file type within the title, e.g. FileName.pdf.exe.

Urgency

Look out for specific keywords both within the body of the email, as well as the subject line. Very often in phishing emails, the attacker will attempt to fluster, or rush a recipient by imploring urgency with terms such as ‘ASAP’, ‘URGENT’ and ‘IMMEDIATE’.

This tactic used in tandem with an assumed or stolen authoritative identity (a spoofed email), is employed in the hopes of a victim acting before they have had time to question the request.

Although you will in your work life undoubtedly be on occasion tasked with unexpected urgent tasks, the requisite time should be taken to verify the requests through an alternative channel to minimise the chances of a mistake happening.

Address

Every email address can be divided into two distinct parts, on either side of the @ symbol we have the username and the domain name. When looking for phishing emails, both parts of the address should be examined and judged.

In creating a convincing enough address, scammers may substitute characters for lookalikes (e.g. m vs. rn), as well as shuffling around elements in a way that mimics a legitimate sender (e.g. tracking-ebay@gmail.co.uk for shipment-tracking@ebay.co.uk).

If in doubt about either the username or domain of an address, before taking any action or clicking any links, head to the official website, or a search engine to authenticate the sender.

Links

The chief objective of many phishing attacks is to prompt the victim into following a link that will capture sensitive information, often by spoofing an authentic and trusted company login page.

Frequently the links that lead to these phishing websites will be disguised within the body of the email by linking a legitimate looking title to a more obviously suspicious URL. For these reasons, before you click any link the address should be thoroughly inspected for authenticity.

On most phones this can be done by holding down over a link without release, whereas on most computers this same inspection can be done by simply hovering the cursor over the link. Though this may seem burdensome or overly redundant, by failing to take this time, you make yourself potentially responsible for all kinds of security issues.

Protecting Your Business from Phishing Attacks

The steps that you can take to protect yourself and your organisation from phishing attacks, not only improve the awareness of this specific scam, but can also improve the overall vigilance and conscientiousness of a workplace.

By making the investment in employee education, through dedicated information security awareness training and simulated phishing campaigns, you can take the first steps in establishing a security culture that compliments the technological solutions you likely already have in place.

What is Phishing? In Computer Technology – It’s a number one threat, and awareness training is nessecary to ensure all employees realise it’s a business-critical matter. Training helps to protect against unwanted costs from recovery, ensures that operations can continue uninterrupted and helps to protect your organisation’s reputation.