Preventing Phishing

What is phishing? It's a social engineering tactic used to create something that looks legitimate in order to acquire user credentials or gather sensitive informaton. While it does not involve a fishing pole and lure, the tactic is very much like fishing. The hacker (the fisherman) essentially dangles something that looks so legitimate, interesting, or convincing (the lure) in front of the user (the fish) that the user is tricked into taking the bait.

Keep in mind that spam and phishing are different things. However, spam tactics border on phishing in some cases as they ask you to join their network. People are creatures of habit or laziness. People often use similar or the same login and/or passwords across multiple sites so that they don't have to memorize something new. This is why phishing is such a massive threat.

Helping End Users Spot Phishing

Some examples of phishing bait can be a legitimate or official looking email like an IT Security or Help Desk message that threatens to close or lock your account unless you click the link, open the attachment, or follow the instructions to call a phone number. Out of fear, users unwittingly click on the provided link and enter their credentials or call the number and provide their information only to give them to a hacker access.

Consider a scenario where you work for LogistixOne and you've received a legitimate looking email. Lets analyze the email for phishing by asking the following questions.

1. Did the email come from a real company email address? If you don't recognize the sender and includes a link or attachment, treat it as malicious.
2. Were you expecting the email? Unless you've given your financial institution, cable provider, healthcare provider, or long lost cousin your work email address, you shouldn't be receiving anything at all. Treat it as malicious.
3. Does the email have an official company header and contact information? It's poor policy and practice to send emails without identifiable company information. If you don't see it, treat it as malicious.
4. Does the email language make sense? A lot of phishing emails originate from foreign senders, include poor grammar, or nonsensical context.
5. Are any provided links legitimate? If you hover your mouse over (NOT CLICK) the link, a little popup window will display the URL link. If you don't recognize the website name (i.e. servicedeskit.com instead of LogistixOne.com), do not click on it. Treat it as malicious.
6. Were you expecting an attachment in an email? If you weren't expecting an attachment or it's named something generic like "Invoice 1234" or "Invoice Random Name", treat it as malicious. If you deal with attachments regularly, send an email out to your business partners directing them of the approved appropriate format.
7. Did your company's service desk or desktop team send the attachment? No respectable service desk or desktop team should ever send random attachments. Their instructions should be clearly visible and explanatory. They should also be able to remote into your computer without asking your to install something or provide credentials.

Occasionally, very sophisticated and clever phishing emails are received. If it appears to pass all the checks but still appears questionable due to something like it was received or sent to an unusual number of people, you can double check who it actually came from using the email header. The header will confirm who actually sent the email which is very useful for identifying spoofed or fake senders. But that is a discussion for another time.