Phishing Information and Tips
Phishing is one of the most high frequency Cyber-attack methods currently existing that impacts all of our lives on a daily basis and even multiple times per day. There isn’t much of a gap of time where you do not receive emails, voices menus, text messages, etc. that are not from the originators you expect. There is high awareness of these attacks which are trying to get sensitive information from you about yourself, the company you work for, bank and credit accounts, or any info that needs to be kept confidential and out of the hands of Cyber attackers looking to exploit this data content and use to their advantage for various criminal acts. So, what can we do for raising even more awareness and addressing problem cases involving Phishing attacks even outside of the normal training activities that we must all be well versed with.
Training will tell you that when in doubt of anything sent to you electronically in emails, voice mails, texts messages, etc. that contains certain content like pushing you quickly to act, contains selection button links that do not seem to be of the normal type that the sender would use, that you should contact that company and confirm they were the ones who sent it to you for the reason stated. Most of us have done this and followed the process which is mainly to not access/select the link, forward the email to the true companies Phishing site they provide, and then generally delete the email, voice mail, or text message. Well, this is all well and good, but what if you get multiple of these case per day, week, and month and do not always have the time to follow up whether it is a legitimate request or not.
When the cases occur where you do not have time to follow up with the sender that is a company or organization in question there are some areas to watch out for and to think through for recognizing what could or is an attack, but perhaps crafted such that it is not so easy to detect. Many of the selection button links may be from Phishing attackers and still not look so abnormal that even a true company/organization may or may not be the actual sender or requester of the info. That brings us to the information being requested. Why does the sender need the information they are requesting. Recently from a credit company an analysis of an email that was crafted very well and didn’t easily seem to be a Phishing email even with the selection button link provided that was used when hovering over it with the mouse. This was requesting credit card number, security code, etc. information. Now, this begs the question, why would the credit company be asking for this information when it certainly is in their database that their workers can easily access if/as needed. This is a very good case to act on that deductive reasoning by flagging that message or email with a possible violation you keep perhaps in a certain folder spelled out for these cases, and when time permits have that email or message forwarded to the true company or organization, they require perhaps by letting you know through their website to log/track the event. This would save a large amount of time by not having to contact the company/organization by phone that can take you perhaps 15 minutes or longer to get routed to the proper individual for assistance.
There are also cases whereas humans we inadvertently can make the mistake of providing information to an illegitimate source. In some cases, we will then have to go through the process of reporting these mishaps using the proper procedures laid out by the different companies and organizations. But there may be cases where corrections after the fact can be made to resolve the issue in a timely enough manner to prevent the attack from causing any harm. There have been cases as experienced where a company or organization that you have accounts with request information like a PIN number for example. These cases can occur in many manners through messaging and voice menus, where the information request and then that information being provided will not immediately be used by the attacker. If for example, you provided a PIN number in those cases by mistake, change the PIN number right away and then monitor the account for no abnormal events, and in parallel notify the company or organization of the event so that they can be aware of any unusual events as well.
Phishing events can be a large nuisance to all of us, but there are ways to minimize the time spent on these situations so that it doesn’t consume time and effort to make an impact on our daily lives. And at the same time be handled where catastrophic monetary, credibility, or other damage and/or time to correct the mishap can be avoided. Awareness must be at a level of not only training in security most of us have experienced, but also using practical experiences and deductive thought/reasoning processes to combat what will continue to evolve in much more complex detection of these events as we move forward. Since it is always better to be safe than sorry, when in doubt, do not provide information through requests even if it means the requester is legitimate and must wait longer for a response due to most not always having time immediately to follow up on every event presented to them. If, the requester cannot wait, they can always send physical mail to homes, P.O. Boxes, etc. which are much harder to perform these types of invalid requests i.e cannot include links to access, or easily duplicate company or organizational information. And those physical mails can then be followed up with the legitimate requestors accordingly, as there will be much less of those.