InfoSec Blog - Making Phishing Attacks History!
April 1, 2020
According to one study, "More than half of US organizations faced a successful phishing and or ransomware attack in 2019," and many of those attacks began with social engineering—ranging from simple to sophisticated. Social engineering involves the use of deceptive communication aimed at convincing the victim to do something the attacker wants them to do. Social engineering attacks commonly focus on generating a sense of urgency in a message that appears to come from a trusted contact.
Ransomware has become a standard payload for attackers in the United States. According to Gin Consulting, 9.5 million ransomware attacks were detected in 2019.
The information below is intended to raise awareness about avoiding these frequent social-engineering attacks, to promote common-sense information security protections and data-protection best practices, or to encourage more in-depth security discussions.
Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources. When someone you don't know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency.
One common social-engineering scam is the gift-card scam. The attacker poses as an executive. The "executive" will email the victim, ask if the victim is in the office, and begin a brief email exchange with the victim. The executive will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so. The executive will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the executive, the victim goes through with the purchase, spending hundreds or thousands of dollars.
How do you avoid becoming a victim of these types of attacks?
- Ask yourself if the request makes sense.
- Check the email address of the sender. Does the sender's email address include an extension that you would expect (.edu, for example)?
- Whenever you receive an "urgent" email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate.
- If something seems off to you, it probably is.
Ransomware is scary. Such an attack could make it impossible for you to retrieve documents on your computer. Using common-sense practices can help you avoid the pain of a successful ransomware attack.
So, how do you protect yourself from ransomware? One of the best ways to protect yourself is to create a good backup of your critical data. These backups should be available offline, for example, on a removable hard drive or tape. Having multiple backups that are stored in more than one location is best! For your work files, be sure to follow guidelines from your IT department.
Ransomware is often delivered via a fraudulent email with an attachment or link that, when clicked, installs a program that locks your files. Never open an attachment that you are not expecting without verifying with the source in another way (for example, via phone or text message) that the attachment is valid. When you are unsure, follow guidance from your IT department regarding how to handle questionable emails.
Phishing attacks are delivered via email. Most commonly, a phishing email uses a sense of urgency to direct the victim to visit a website designed to steal the victim's account credentials.
Some phishing attacks are straightforward, for example, "Update your password now!!!!" and can easily be detected because they typically are not written well (poor grammar and word choice). However, some attacks are sophisticated, look like they come from a trusted contact, are well written, and lead to a site that closely resembles the spoofed website. If you receive a communication that asks you to give your account credentials or personal information (for example, your social security number, birth date, or credit card number), DO NOT click the email link. Instead, go directly to the expected website and verify that the communication came from that organization. Always check with your IT department before following links that require you to enter your username and password.
By following these simple precautions and working with your IT department, we can make phishing attacks a thing of the past.
Source: Educause Security Awareness