One Phish, Two Phish, Classic Phish, SPEAR Phish?!
Headlines about a massive spear phishing attack on top U.S. officials’ Gmail accounts hit early today, leaving many to wonder, “Could this happen to me?” Nobody is immune to receiving a phishing email, but they can arm themselves with information and technologies that will minimize the chance they will fall victim.
Fraudsters have been using the classic phishing attack to steal user names and passwords for more than a decade, yet phishing remains a powerful method for account takeover attempts because it relies on the human brain, versus a computer, to execute the requested activity. However, many savvy Internet users today know the basics of spotting the telltale signs of a phishing attempt, for example: receiving unsolicited email from an unknown source, being asked to click a suspicious link or download a file, spotting various typos in an email that allegedly came from a business that they do business with, being asked to verify confidential information, and so on.
But what if an email looked to come from someone you knew, was sent to yourself and others you knew, and the topic was something of interest to you? This could be an example of a more sophisticated attack called spear phishing, where the fraudster did their homework and knows what they want and where to get it. Spear phishing emails are more difficult to spot since they have the elements of familiarity and relevance. And spear phishing emails also rely on the end user to execute the requested activity, for instance, “Access my vacation photos here (click the link),” (at which point the link goes to a phony login screen set up to steal user names & passwords).
There are various technologies in place today that put protection in the hands of end users--or in the case of visual cues, in the front of their eyes. For instance, Gmail offers 2-step verification, also known as 2-factor authentication –something that businesses have been employing for many years to protect employees from account takeover. As for visual cues, many popular websites today show a green address bar (EV SSL) as a highly visible signal that a website is authentic. Below are other tips and best practices:
- Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them)
- Keep your operating system updated
- Use a reputable anti-virus program
- Enable two factor authentication whenever available
- Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark
- Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted
And if you’re interested in sharpening your skills, take the award-winning Phish or No Phish challenge at www.phishornophish.com