Phish is a psychedelic band known for jamming with an ecstatic fan base. Phish Food from Ben and Jerry’s features chocolate ice cream with marshmallows and caramel swirls sprinkled with fudge fish. The band and ice cream are not for everyone; gooey marshmallows and extended musical jams are acquired tastes.
Phishing, while decidedly less sweet than music and ice cream, is unifying insofar as nearly everyone with an email address is a target of this type of cybercrime. In 2020, the FBI called phishing the most common type of cybercrime. Verizon’s Data Breach Investigations Report reveals that phishing accounts for more than 80% of reported security incidents.
Understanding what phishing is and creating a plan for mitigation will help you and your fellow TPRM practitioners practice better cyber hygiene. To come to grips with phishing is to #BeCyberSmart!
What is Phishing?
Phishing is defined by NIST as “tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication.” Phishing is when an online attacker impersonates a legitimate person or organization and uses tactics such as email or malicious websites to obtain personal or financial information from a user. The attacker may also infect malware or viruses into a user’s device.
How To Avoid Phishing Threats
The best course of action to thwart a phishing attempt is to report the incident to your email provider and to notify your IT department. Take the time to observe unusual activity on your email accounts before taking action. If your financial accounts have been compromised, notify your financial institution as soon as possible. Consider filing a report with the Federal Trade Commission or Internet Crime Complaint Center (IC3).
Generally, it is important to educate vulnerable users (mom?!) and employees about phishing and to teach these users how to use proper anti-phishing hygiene. The following are a few best practices and tips for handling phishing threats:
1. Identify Red Flags
- Identify misspelling or grammar errors in emails
- Identify whether the sender is pressuring the recipient to urgently send their information, click a link, or download an attachment
2. Verify Source
- Research the person or organization (not with the links and attachments provided in the potential attacker’s email) and confirm if the sender is legitimate
- Pay close attention to the website URL (although the website may look identical to the authentic site, the fraudulent website may be using a misspelled word or a different domain such as .com versus .org)
- Contact the person or organization directly to verify if the information they’re requesting is legitimate (use the contact information you have from them prior to the incident or on an account statement)
3. Be Aware of Other Phishing Methods
While each of these methods takes a slightly different approach, all methods of phishing have the same goal: to abscond with your personal data.
- Vishing – phishing accomplished via voice, usually by phone
- Whaling – phishing attacks targeting an executive in an organization (the CEO, CFO, or any C-Level role)
- Spear Phishing – phishing attack targeting a specific group or role within a company
- Smishing – phishing method that uses text messaging (SMS) to execute the attack
- Search Engine Phishing – phishing method where hackers work to become the top hit on a search engine search
Think before you click and remember to report any emails, links, or attachments that may look suspicious. To learn more about how your TPRM program can reduce the risk of cyberattacks, register for our free webinar Threat Briefing: Real-World Cyberattacks On The Supply Chain, Tuesday, October 26, 2021, 11:00-12:00 ET.
Additional information on cybersecurity:
- Blogpost: 6 Reasons to Make TPRM Part of Cybersecurity Awareness Month
- Blogpost: Cybersecurity Awareness: The Suspense Is Killing Us!
- Blogpost: How To Be Cyber Smart – 5 Must Knows
- Blogpost: Workplace Safety, Security, and Data Governance