PHIGHT THE PHISH
Written By: Chet Hayes
Throughout September and October, scores of fishermen converge on the Middle Fork of the Salmon River in the Frank Church-River of No Return Wilderness in Central Idaho. Their goal? To catch a Steelhead, which are large ocean-going rainbow trout. For 33 straight years, my father made this trip, and on occasion, I was privileged to tag along with hopes of landing ‘the big one.’ During these trips, I learned that Steelhead fishing takes patience and practice to learn how to deliver a presentation that convinces the fish to take the bait. On multiple trips, we would meet people who had not caught anything or had caught just a few fish after spending 50 hours on the river. In contrast, following the guidance of my father with decades of experience, we would usually catch several fish during our time on the river.
Today, a new type of ‘Phishing’ has emerged and is focused on catching ‘the big one’. We are no longer the fishermen; we are the fish. “These ‘Phishermen’ use a wide variety of tools and methods to create very convincing bait. In some cases, phishing is obvious and easy to spot. However, some phishing attempts are well done, and it becomes harder to recognize a legitimate message from an illegitimate one.” This raises the question in people’s minds on what they can do to defend themselves from becoming a ‘sucker’.
One of the best ways to defend against a phishing attack is to become better at recognizing what a phishing attempt looks like. The Federal Trade Commission published the following guidance: “Phishing emails and text messages may look like they’re from a company you know or trust. They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store.”[1]
Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may
say they’ve noticed some suspicious activity or log-in attempts
claim there’s a problem with your account or your payment information
say you must confirm some personal information
include a fake invoice
want you to click on a link to make a payment
say you’re eligible to register for a government refund
offer a coupon for free stuff
An example of one of the better ‘Phishing’ emails I have seen is attached below.
If an employee was not paying too much attention, this could easily be mistaken as a valid email. However, upon further inspection it says the email is from HR but the actual domain does not match the intended domain. In addition, the organization had put a rule in place to mark any email that comes from the outside as external. The final item was the URL which has been changed for the purpose of this article. The URL was a link that prompted a user to enter their credentials to access the supposedly new ‘Employee Handbook’. Any one of these items should have raised a red flag and caused the recipient to stop and think before taking any action.
So how do you defend against a Phishing Attack?
First, stop and think about what is being asked. Take the time to review the email and look for items that are suspicious. Does the sender’s actual email match who the email is from? Does the email use a generic greeting? If your company has rules to flag external emails, stop and think whether the request should be coming from outside the company. Look at the links within the email to see if they appear to be legitimate. Remember, that the URL you read on the screen might not be the actual link tied to that text. If there is an attachment, make sure you are sure that you know and trust the sender before opening any attachment or clicking on any link.
Second, enable Multi-factor authentication (MFA) on all accounts whenever possible. MFA solutions provide simple but effective deterrents to would-be hackers while greatly improving protection to both the individual and the organization. With MFA in place, it can still make it difficult for hackers to access a system if somebody does accidently fall for a phishing attempt.
Third, make sure your mobile phone and computer are updated automatically. This can help protect against evolving security issues.
Fourth, make sure your mobile phone and computer have security software installed and it stays up to date. This software can deal with many new and evolving threats and provide additional protection.
Many phishing attacks can be avoided by just taking a moment to think about what you are being asked to do, and a quick review of the email in question. If you take the time to review, enable MFA, keep your devices updated, and leverage security software you can ‘phight the phish’ and help prevent becoming the ‘sucker.’
[1] https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams