Phishing for information
Individuals may find themselves targets of cyber security attacks for their personal wealth or also access and reputation within a company. Just as likely targets are those who run their own small businesses or are self-employed.
With the world working remotely, attackers are using an individual’s isolation to catch them unaware; unsupported by corporate IT.
What does this mean?
Individuals are likely to be targeted for connectivity that grants the attacker access elsewhere, be that a larger network or an individual’s personal network. Your own personal information and data might be the target, or it might be information that can enable access to another party’s infrastructure using compromised credentials.
Understanding the threat
In our experience phishing is one of the favourite methods for cyber attackers. We all see phishing emails on a regular basis, emails which appear to be from major online retailers or from a financial service provider. A recent example are the fake emails and messages regarding early access to the Covid-19 vaccine.
A variety of different phishing attacks exist and can be:
• Via Email: SpearPhishing (emails directed at specific targets), ClonePhishing (a legitimate email has been replicated containing a malicious link sent from a spoof email) or WhalePhishing (directed at high profile targets).
• Other - Smishing (SMS texts) likely to appear as a legitimate source from the sender name or Vishing where they will use publicly available information from your social media accounts to generate a realistic profile and use personal information about you or a supplier on the call to deceive users.
A successful phishing attack will result in a target unwittingly divulging credentials such as passwords or usernames or by the attacker successfully gaining access to a device via malware from a downloaded file.
Staying aware of phishing and reducing its likely hood of success
Tips to identifying potential phishing attacks:
• Check the domain the email has come from
• Do not rely on the display name as these can be faked during the creation of the email, look at the actual email address.
• Look out for grammar and spelling mistakes.
• Don’t click on any hyperlinks without checking the URL, often hovering your cursor over the link will reveal the address.
• Don’t download or click on attachments from unknown sources - Be suspicious of documents that require the use of macros; as this is often a method for downloading and installing malware such as ransomware.
• If in doubt log in via the official website to check for messages or phone customer service via the number on the website - not a number in the suspicious email.
Two Factor Authentication (2FA) is a great way to mitigate against lost credentials, should your credentials get compromised. 2FA requires an extra step for attackers to access your accounts. 2FA can implented in a variety of ways such as;
• an Authenticator App on a digital device which generates a token or number for your to use,
• an email to a secondary email account to the one used to log in,
• an SMS message or even a physical token.
2FA should be enabled whenever possible as not only is it an additional level of security but it can also act as an early warning. If you receive an email or message but haven’t tried to log in, an attacker may be trying to log into your accounts.
In a world where we are always online, where we can be can always be contacted, we must remain alert to how we react to the information we receive. It is better to reduce the likelihood of compromise with simple changes than it is to recover from a ransomware attack or breach of a network, which can result in financial loss, time, loss of data and not to mention personal stress.
If you would like to discuss further how you can protect against phishing attempts then please get in touch by clicking the button below. One of our specialists would be delighted to help and will be in touch shortly.