Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies, designed to lead consumers to counterfeit websites that trick recipients into divulging financial data such as usernames and passwords. Employees possess credentials and overall knowledge that is critical to the success of a breach of the company’s security. A phisher’s success is contingent upon establishing trust with its victims.
Phishing messages seem to be from legitimate organizations like PayPal, UPS, a government agency or a bank. The emails politely request updates, validation or confirmation of account information, often suggesting that there is a problem. A person is then directed to a fake site and tricked into entering sensitive account information.
- There was a 250% increase in phishing sites between October 2015 and March2016.
- Attackers using phishing techniques have become more aggressive in 2016 with
- keyloggers that have sophisticated tracking components to target specific information and organizations.
- The retail/service sector remained the most-targeted industry sector during the first quarter of 2016 with 42.71% of attacks.
- In Q1 2016, 20 million new malware samples were captured.
- Don’t respond to links in unsolicited emails
- Don’t open attachments from unsolicited emails
- Protect passwords and don’t reveal them to anyone
- Don’t give sensitive information to anyone
- Closely examine a website’s URL – in many phishing cases, web address may look legitimate, but the URL may be misspelled or the domain may be different
- Keep browser up-to-date and apply security patches
- Use antiphishing software to detect phishing emails and websites
- Test employees using our PhishingBox phishing simulator
- Conduct phishing training sessions with mock phishing scenarios
- Keep all systems current with the latest security patches and updates
- Install an antivirus solution
- Schedule signature updates
- Monitor antivirus status on all equipment
- Develop a security policy that includes password expiration
- Deploy a web filter to block malicious websites
- Encrypt all sensitive company information
- Convert HTML email into text only email messages
- Install anti-virus as well as antiphishing software
- Update anti-phishing software regularly
- Register with phishing detection websites
- Use browsers that aid in detecting phishing activities
- Use the PhishingBox phishing simulator
There are multiple antiphishing steps a company can take to protect against phishing. Companies must keep a pulse on current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve.