SecureState Blog

Read SecureState's award winning blog.

A guide to identifying and preventing phishing attacks

Phishing is a social engineering tactic used by unauthorized users to gain access to sensitive data. Within the last few years, social engineering attacks have been growing in popularity and while end users have certainly improved in identifying a potential attack, this only means that the attackers have also improved in their methods. Modern phishing websites and emails are getting more and more sophisticated, often duplicating the styling and logo of familiar brands, making it extremely hard for consumers to recognize an attack.

Phishing scams, malicious malware and other types of attacks can be hidden within e-cards from unknown senders, emails, coupons, fake advertisements, texting and more. A recent study released by Kaspersky Lab revealed that almost 30 percent of phishing attacks in 2014 aimed to steal financial data from consumers, showing a drastic shift in the behavior of cyber criminals. Below are some helpful tips, links and tools to help end users recognize and respond to potential phishing attacks.

What is Phishing?

Phishing is a non-technical attack that relies on human-to-human interaction, such as emails, texting, or advertisements, to ‘trick’ users into granting access to sensitive data to unauthorized users. Phishing is one of the simplest, yet most effective and harmful methods available to attackers. As technology develops and user education increases, phishing attacks are continually becoming more targeted and more convincing.

What Does it Look Like?

It is difficult to imagine what a phishing attack could look like. However, below is an example of a phishing campaign :


Best Practices for Identifying Phishing Scams

As users become more informed and more familiar with phishing attacks, attackers are becoming more clever. As a result, phishing scams are almost always highly targeted. It can be challenging to identify phishing attacks; however, with proper user training and increased awareness, organizations and individuals can greatly reduce the potential damage from attacks.

1. Be cautious.

As emails and offers come in from retailers and other organizations, be diligent and proceed with caution!

2. Know who you are expecting to hear from.

Unless you are expecting an email from a person, any unexpected emails are likely to be phishing scams. Make sure you check WHO the email is from prior to opening it.

3. Watch for simple spelling errors.

A tell-tale sign of a phishing email is one with obvious spelling and grammatical errors. Not to say that every email with a few typos is a phishing attempt, but if you notice quite a few errors, look twice before engaging with the message.

4. Hover over links before clicking on them.

If the link does not look as expected, then it is probably a phishing attack. When in doubt, copy and paste the link into your browser and review before visiting the site.

I Might Have Been Phished – Now What?

Regardless of how advanced technology becomes, human error will always play a role. These attacks are so prevalent because they are often very difficult to detect and defend against.

Below are critical steps that should be taken to better reduce the amount of destruction:

1. Notify your Administrator

Time is crucial when it comes to any type of attack. The sooner an end user notifies the right personnel, the sooner they can start monitoring and detect what is happening as a result of the attack.

2. Change passwords

Although this is a simple solution, it can have a strong impact. This could prevent the attacker from coming back into your networks.

3. Report the attack

There are several organizations that can help after you believe you have experienced an attack. Management consulting firms, such as SecureState, are able to help identify what occurred, if damage has been done, provide a plan to fix the damage, and develop a roadmap to staying secure.