By Chris Edwards
Manager, IT Services
Phishing attacks are nothing new, but lately they’ve reached such a level of sophistication that they have even fooled information technology experts.
Phishing, which is mostly encountered via email, tricks people into clicking on a link that appears legitimate in order to steal confidential data – or even your identity.
How bad is the problem? As many as 100,000 new phishing attacks are reported every month, according to the Anti-Phishing Working Group. The FBI even believes a phishing email is how Russian hackers infiltrated the Democratic National Committee servers, according to Wired.
The most common form of phishing involves convincing you to login to an existing account you already have, such as your bank or email. It might say something like, “You need to update your account” or “Log in to see your benefits.” This is known as the “worm,” i.e. the bait that catches your eye and gets you to strike.
(In phishing, you are the fish!)
Clicking on their link takes you not to the actual website, but a dummy site the phishers have set up to mimic the real one. It can even have the same design and logos of the one you’re used to. Once you put in your username and password, they’ve caught you.
Lately phishing scams have been coming through Dropbox or other popular file-sharing services. We’ve even encountered them on lesser-known paid services like Sharefile.
Earlier in May, there were widespread media reports of a phishing scam that prompted receivers to open a Google Docs file. Since this is such a commonplace activity, many people clicked on the blue “Open in Docs” button without thinking. It would then take them to a site where they were asked to login to their Google account.
Unfortunately, there really isn’t a strong defense against phishing other than warning your team to be vigilant. Spam filters will catch some of them, but since phishers change email addresses so often, many will get through to your inbox.
The simplest defense is to be wary. If something seems wrong about a message, it probably is counterfeit. You may receive an email from someone you know, asking you to open document. But if you weren’t expecting a file from them, be cautious.
This is a good example of using existing technology to bolster another one. If you receive an email from a colleague you suspect is bogus, pick up the phone and ask them if they sent it.
Another option is to use a two-factor authentication when logging into a secure site. This can be an automated phone call or text message to your phone in addition to the login you use on your computer. It’s much more difficult from phishers to infiltrate your identity this way.
Also, be suspicious if a website asks you to login to an account that you’re already automatically logged into when your computer boots up, such as the Google account you may use for Gmail. Take a look at the URL web address at the top of your browser. Or, you can mouse over a web link without clinking on it to obtain a preview of where it will take you.
If the web URL looks strange or doesn’t conform to the normal address you’re used to, that’s a big red flag. Talk to your company’s in-house IT professionals, or whoever your vendor is, if you’re unsure.
They key is not to clink blindly on every web link that shows up in your email inbox or on websites to which you’re directed. The best way to avoid getting phished is to not take the bait.
If you need to consult with an expert about protecting your company’s information systems, please call Chris Edwards at (317) 613-7855 or email [email protected].