Phishing: Not Your Grandpa’s Afternoon

Many different types of phishing schemes are out there, and familiarizing yourself with them can better protect you against cyber threats that use these socially-engineered methods.

It seems so easy. All you have to do is not click the link, or not open the attachment. But unfortunately, curiosity killed the cat and caused a loss of $5.9 billion in 2013 alone. Phishing is a lot different from Grandpa’s favorite pastime, and can negatively affect any company, including yours. How can you keep yourself safe, and what are good practices that you and your company should adopt to keep yourself from becoming part of the statistic? According to EMC, 63% of attacks were directed toward individuals and businesses in the U.S. How many of us are targeted every day? You can download security software for your laptop, update your website continually, but you should make sure user error isn’t the reason your company goes out of business.

An easy way to start is to learn what phishing looks like. Unfamiliar email addresses, unprofessional wording, requests of sensitive information – these are all commonplace and seem more humorous than threatening. They are, however, getting smarter and looking more genuine, with relevant logos and fake email addresses. Familiarize yourself with these types of emails by looking in your inbox. Cautiously tread through your spam or junk folder if you want, just remember that you’re better safe than sorry when opening emails, and especially when opening attachments. In fact, if an email is in your junk folder, it’s safe to say that the emails found in your spam folder are there for a reason, and it probably has nothing to do with the can of meat your grandparents ate.

Another, more sophisticated version of this type of cyber threat is called spearphishing. In an effort to better convince the victim, the attacker more carefully studies out and chooses specifically a small group of targets. Obviously, this is a more dangerous attack because it’s crafted to be more believable, and more likely to be opened. An example of this could be an email crafted to look like a recruitment plan, sent only to the HR department, or maybe a fraudulent bill from a vendor, directed towards accounts payable.

In keeping with the Phish/fish theme, another variant is called “whaling”, where spearphishing is taken to the next level, and “bigger” targets are identified, usually corporate executives. The difference is that the scheme is highly specified, even directed towards a specific person in general. This could come in the form of an email directed towards the CEO, appearing to be correspondence from another executive or a specific client, or it could be a directed attack towards a specific accountant that appears to be from the company executives.

There are many types of phishing attacks, and to best protect yourself, you need to be educated. You don’t need to be paranoid about every email you receive, but you should be aware. The key is finding out for yourself what phishing looks like. The more you pay attention, the more likely you are to catch potential phishing schemes and keep your company safe. You can google screenshots of phishing emails that look like invoices from Apple, Amazon, PayPal, eBay, and even Netflix. You can read about specific case studies of phishing attacks anywhere. Let’s hope the only education you don’t get is through personal experience.