Phishing: Be careful, you might catch something!
Unlike its relaxing, enjoyable dockside or rowboat homonym, “phishing” is a fraudulent attempt to obtain sensitive information from someone. Sometimes, it’s easy to spot, but other times, it can be extremely complex and almost impossible to recognise.
Here are some tips to help keep you safe.
Cybercriminals are always keen to exploit any vulnerability. This might be a system release or even, as we’ve seen recently, a global pandemic. Indeed, over the past few months, the number of coronavirus-related malicious apps, phoney websites, and phishing emails has grown exponentially. And, with many business employees working from home these days, the IT-security landscape has likewise seen rampant expansion, with criminals now targeting this at-home workforce.
What is phishing?
Phishing is a form of internet fraud in which an email, text message, or social-media message purporting to be from a legitimate, trustworthy sender, such as a bank or government institution, encourages the recipient to provide personal information. Such information can include usernames, passwords, and credit-card details, ostensibly to confirm or update information that the legitimate organisation already has.
A phishing communication typically comes to a user through instant messaging or email spoofing, a form of spam email. It often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site. Simply, a person or organisation is “fishing” for sensitive data to then gain access to accounts or sell the information to a third party. Accounting software QuickBooks parent company Intuit, has been the recent target of a couple of phishing campaigns. In one instance, employees across multiple departments (with access to sensitive information) received emails containing what appeared to be legitimate invoices but was, in fact, malware.
Preying on uncertainty and trust.
During uncertain times, users are more vulnerable. Working from home during the COVID-19 crisis, for example, it wouldn’t be unusual for them to click on an email message that appears to be from their own IT support or the Australian Tax Office (ATO). It might be an email advising of a new software rollout “for your security” or the government saying you owe them money and will face consequences if you don’t pay X amount. And as good humans and global citizens, we want to trust But these days, unfortunately, we must be more careful when and with whom we place our trust.
The best forms of protection against these types of threats, apart from IT systems and security controls, are user training and knowledge. With suspicious emails or other messages, make sure you take the following measures:
- Check senders, email addresses, links, and buttons to make sure they're coming from legitimate, known sources. Before clicking anything, hover over buttons, links, and email addresses to view the links to which they will take you. Don't just trust the display name.
- Before signing in, always double-check the webpage's URL. Cybercriminals often redirect you through malicious sites that can make a fake email difficult to spot. This allows them to bypass link scanning by traditional security solutions. If the URL looks suspicious, don't enter your credentials and confirm it with your IT department. Your tech team will be happy you did so before compromising your system, the business’s, or both.
- Adopt a zero-trust policy. Ultimately, if you have any doubt, it’s best to check before clicking on or logging in to any message.
Training users to perform safety checks on emails or other messages they receive is a great first defence.
Putting in place a central IT communications hub for tech-related items is another important practice for keeping users informed of cyberthreats, application updates, security measures, new policies, and even the occasional hilarious IT meme. Keeping users on top of things will benefit the entire IT landscape and make your environment more secure.
Want to know more about how you can protect your systems and your business? Get in touch, we’d be glad to help.