Phishing for information

Over 60% of cybercrime is the result of human error. Approximately half of this accidental sharing of information is via “phishing” attacks – one of the top concerns listed by the FBI in its 2018 Internet Crime Report. Coupled with findings from the State of Privacy and Security Awareness Report that highlighted 70% of employees do not grasp web security and privacy, it is clear that there is a need to improve the education of our employees and highlight the importance of cyber awareness. Let us break down this online threat and examine ways to protect ourselves while improving our businesses at the same time.

What is Phishing? 
A phishing attack is a form of social engineering by which cyber criminals attempt to trick people into providing information (usually credentials or personal information) by creating and sending fake emails that appear to be from an authentic source. This is usually a trusted brand such as a government department, a retail store or a business. Phishing emails are typically well presented, using branding taken from legitimate sources and attempt to trick the recipient into entering basic information into a website that can be used for later attacks.

The new sport of Spear Phishing
Like most things in life, phishing has evolved through improvements in technology, availability of information, and the experience of our attackers. Enter “Spear Phishing”, the new sport for the sophisticated cybercriminal. Using information harvested from our online identities (e.g. Facebook, Instagram, LinkedIn, corporate websites, etc.) and combining it with data from previous breaches, cybercriminals are now able to customise and personalise their attacks to include phone calls, SMS messages and emails all designed to build trust and cause us to let down our guard.

With cybercriminals getting smarter and having better tools, how do we protect ourselves without this becoming a burden on our productivity? It is as simple as getting back to basics, trusting your instincts and being more personal in your interactions.

  • Don’t just blindly trust what you receive via text or email – If you had received the same message via the post, would you act on it without validating it first? Build controls into your processes that include contacting people (clients and suppliers) personally to verify information received via email. This includes unexpected attachments or links, as well as requests to supply information or change details.
  • Phones are for calling and consuming – Odds are that if you are working off a mobile phone, you are not focused entirely on the task at hand. Resist the urge to be more “efficient” by clicking through links and actioning emails you receive on your phone when between meetings or on the road. If it looks urgent, call the person using the number in your contacts and double check.
  • Messages that are designed to make you panic – Cybercriminals capitalise on fear and a sense of urgency. Pausing and remaining calm so that you can evaluate the hallmarks of phishing emails is an important step. Chances are, if it was really urgent you would have received a phone call, so consider calling them back using a number you know and trust. If it is a real request, the personal touch will be appreciated.

In a world filled with technology that is designed to make us more efficient and productive, it is easy to forget that personal relationships are what ultimately make us successful. It might actually be cybercriminals that cause us to reconnect and rediscover the value of human contact in our daily lives.