What to Look for and How to Prevent Phishing
To better understand what Phishing is, we need to understand what Social Engineering is.
Social Engineering is an attack on a user that typically comes from some form of social interaction. It usually preys upon the interpersonal relationships that occur in a workplace and tries to exploit them for access to personal information or a specified network/system.
What exactly is Phishing?
Phishing is a type of Social Engineering in which an attacker attempts to obtain sensitive information from users by spoofing an email or instant message. The attacker “spoofs” an email by making the email seem like it is coming from a trusted source. They do this by changing the source code in the email to make the header show a misleading name (usually any member of management or the IT team for a company) in the “From:” section of the email. They do this to make it seem like it is ok to send them sensitive company data and/or credentials for a system.
How can we know that the email we received is Phishing?
In order to spot a suspicious email, we can look for the following clues:
- Authority – The scammer will pretend to be from a position of power in order to scare you into clicking on a link.
- Intimidation – The scammer will scare you with the threat in the form of danger in order to get you to do what they want.
- Consensus – This is typically found in mass Phishing emails. The scammer will try to win you over by using something that society all has the same view on to manipulate you. For example, when COVID hit there were scammers who tried to get people to donate to a fake PPE organization and kept their money. They play on people’s good will for their own benefit.
- Scarcity – The scammer will make something feel like it is limited and scarce. This will make the user feel like they need to act quickly.
- Familiarity – This is usually established over a thread of emails/messages. This develops a relationship with the user and gains their trust by talking about things that you are “both” familiar with.
- Trust – The scammer will try to convince you by telling you that you can trust them no matter what.
- Urgency – Similar to scarcity, but specifically deals with deadlines that MUST be met.
Tips to protect yourself from Phishing
- Use security software on your computer and run regular software updates and security checks.
- Keep your computer up to date.
- Set your mobile phone software to update automatically.
- Use multi-factor authentication on your accounts.
- Always back up your data.
- Do not open suspicious or strange attachments.
- Avoid clicking embedded links.
- Always verify with others in person or over the phone when you receive any urgent or alarming emails.
- Use anti-spam filters.
- When receiving an email from a commercial business, check the phone number they provide in the email against the one they have listed on their website.