Phishing Awareness and Prevention: A Comprehensive Guide
Purpose
The purpose of this document is to educate all employees about the risks of phishing attacks. Everyone must understand the importance of cybersecurity and their role in safeguarding the company's assets.
Audience
This document is intended for all employees who use company email accounts, access sensitive information, or interact with clients and external partners.
Topics Covered
1. What is phishing?
Phishing is a type of cyberattack that uses disguised email as a weapon.
These attacks use social engineering (exploitation of human psychology) techniques to trick the email recipient into believing that the message is something they want or need—a request for a password, for instance, or a note from someone in their company.
The goal is to get the recipient to click a link, download an attachment, or give up confidential information
2. Types of Phishing Scams
Spear Phishing
Occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate personal detail(s) in order to appear more legitimate. These attacks are typically more successful because they are more believable.
Business email compromise (BEC)
Occurs when criminals target employees with CEO email fraud. By impersonating financial officers and CEOs, victims are tricked into initiating money transfers or sensitive data leaks to unauthorized accounts. Typically the CEO and/or executive has previously been compromised with a spear phishing campaign and their processes and procedures are monitored for a period of time. The attack takes the form of a false email that looks like it has come from the compromised CEO’s account sent to their team member. The email appears to be important and urgent, and it requests that the recipient send a wire transfer or password-protected data to an external or unfamiliar bank account/location.
Clone phishing
Occurs when the attacker creates a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again. This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack.
Smishing
Is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convince you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
Smishing is on the rise because people are more likely to read and respond to text messages than email: 98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6%, respectively.
Users are often less watchful for suspicious messages on their phones than on their computers.
3. How to recognize a phishing scam
Requests for your username and/or password – credible institutions and organizations will not request personal information via email
Time-sensitive threats (e.g., your account will be closed if you do not respond immediately)
Spelling and grammar mistakes
Vague or missing information in the "from" field or email signature
The "To" field contains multiple random email addresses or is alphabetized
Impersonal or unnatural greetings, such as “Dear Mr. account holder”
Unexpected files or downloads
Links that don’t refer to the sender or sender’s organization
Emails about accounts that you don’t have, such as eBay or PayPal, or banks that you don’t have accounts with
Asks you to reply to “opt-out” of a service
Plays on human emotions to evoke sympathy, kindness, fear, worry, anxiety, or excitement
You can check if your account has been compromised at haveibeenpwned.com
4. How to Protect Yourself from Phishing
Do not access sensitive information on public wifi. Avoid logging into your banking, work emails, 1Password, or other sensitive accounts on untrusted public internet, like coffee shops.
Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
Something you have — like a passcode you get via an authentication app or a security key.
Something you are — like a scan of your fingerprint, retina, or face.
5. How We Are Managing Phishing as a Company
Regular Data Backups. Once a month we will backup all Dropbox, WPEngine, Bluehost, Airtable, and other content in an offline storage device such as a hard drive. Coordinated efforts between development and design will be established to ensure these are completed and managed.
Ensure spam filters on Google are tested and active. Monitor Google spam filter settings and modify them as needed.
Enforce password policies. Minimum password length, numbers, and special characters help create complex passwords that are more difficult to hack. Stay tuned for an official requirements list.
Require Multi-factor Authentication for all company-used apps and services. Keep an up-to-date list of all services and accounts that will require us to use multi-factor authentication.
Report any suspected phishing immediately. If you suspect emails or communications to be phishing or malicious please screenshot and report to Tia immediately, she will report it to the appropriate authorities.
Remember…
ABC. Always Be Cautious.
DDR. Don’t respond, Don’t click, Report it.
Finally, what do hackers do when they go on vacation? They go phishing.
