Each year, the National Cyber Security Alliance spends the month of October sharing facts and information to spread awareness of the need to be cyber vigilent. Thinking that cyber does not apply to you can turn out badly. Phishing is one of the oldest types of cyber attack because it is effective.
Even though I have spent over 20 years talking and producing education regarding the proposition that “information” is the major industry under which eDiscovery, records management, and cyber practice operate, I was snagged by a phishing email. I was multitasking, wasn’t careful and simply filled out what I thought was an employee survey, and only when I was going to reply to the email asking for a comments box to be added did I realize what I had done. I heard the instructions of the breach response team in my head: DO NOT turn off your computer, disconnect your VPN, change your passwords, call IT. Even though that took only about 15 seconds, a large group had been penetrated.
Despite often being overlooked in terms of hype, phishing has been a mainstay in the cybersecurity threat landscape for decades. In fact, 43 percent of cyberattacks in 2020 featured phishing or pre-texting, while 74 percent of US organizations experienced a successful phishing attack last year alone. That means that phishing is one of the most dangerous “action varieties” to an organization’s cybersecurity health. As a result, the need for proper anti-phishing hygiene and best practices is an absolute must.
Know the Red Flags of Phishing
Don’t forget that these phishes come from master criminals who make content and interactions engaging and appealing. From content design to language, it can be difficult to discern whether the content is genuine or a potential threat, which is why it is so important to know the red flags.
Some of these phishes will go to the trouble of scouting your town for events, setting up event spoof sites, and then emailing your organization with offers to attend the event at a discounted price. Both the site and email can look real at first glance, but upon further inspection, they are far from authentic. Take two or three hard looks and be sure before clicking or forwarding, and ask HR or IT if the email is legitimate.
Verify the Source
If you receive a suspicious email, don’t fall for it! Phishing content can come in many forms and try to impersonate someone close to us–a family member or friend. The best way of avoiding these scams is by contacting them directly on behalf of yourself
Be Aware of Vishing and Other Phishing Offshoots
8 years ago in 2013, the GPO indicated that 97 percent of documents were born digitally. Many of you reading this probably do not receive more than 10% of your letters or documents in paper form. The point is that digital transformation have caused a change in processes for many of us over the last decade. It also brought greater awareness to more of the population about phishing.
Cybercriminals have begun to diversify their phishing efforts beyond traditional email. For example, voice phishing — or vishing — has become a primary alternative for bad actors looking to gain sensitive information from unsuspecting individuals. Similar to conventional phishing, vishing is typically executed by individuals posing as a legitimate organization — such as a healthcare provider or insurer — and asking for sensitive information. Most people I know have gotten the “IRS call,” wanting our information. This is a sample of vishing. There are also text attacks seeking information. The simplest protection is to ensure you know who you are talking with
Simply put, it is important to transform the way we think about cyber. It is the only problem we all have, and there is no one who is not at risk in one way or another.
Phishing may be “one of the oldest tricks in the book,” but it is still incredibly effective. And although it may be hard to spot when you may be in the midst of a phishing attempt, by exercising caution and deploying these few fundamentals, individuals and organizations more broadly can drastically mitigate the chances of falling victim to a phishing attack.