Since its inception in 2004, the United States Government has declared October as Cybersecurity Awareness month. While we celebrate the importance of cybersecurity, it is a good time to reflect on ways we can prevent harmful data breaches that can damage the integrity of an organization. One of the most common cybersecurity attacks are phishing threats. Let’s take a look at what phishing attacks are, and ways we can prevent them.

What is a phishing attack?

A phishing attack is classified as a social engineering attack designed to steal user data by posing as a trusted individual from inside your organization. These attacks come in the form of an email, text message, or even phone calls. Usually these attacks contain a malicious link, which upon clicking can lead to malware installed. This malware can lead to detrimental breaches of data by installing viruses, ransomware, or spyware on your device.

Example - Spoof bank text message

In this example, the attacker is posing as a bank alert for the fictional “American Bank”.  It is prompting the user to click on the link to reset its account pin. This link could lead to numerous password scam attempts. For example, the link could redirect to a spoof password renewal page where the user is prompted to enter their new and old account information. The attacker will then hijack the original password to gain access to the user's bank account.

What are some ways to prevent phishing attacks?

The most important aspect of preventing phishing attacks from occurring is proper employee education. Here are some useful tips to help

1.  Learn to spot a phishing message

• First time or infrequent senders- It is not uncommon to receive a text or email for the first time from someone within your organization, however it is good practice to double check the address/number when receiving a message out of the blue.
• Check for grammar and spelling errors- A common trend among most phishing attacks is poor use of grammar. These types of errors may be the result of cumbersome translations from foreign languages, or they may be intentional attempts to bypass filters that try to block these attacks.
• Suspicious links or unexpected attachments- Make sure to validate the address before clicking any links or attachments. If you want to see where the link will go, hover your mouse over, but don't click the link to see if the address matches the link that was typed in the message.
• If the message contains call to action items- A common practice for attackers is to request the recipient to buy gift cards for the company. If the message asks for any call to action items, report it immediately.
• Do not click on a link if it contains an unsecured url- Never click on a link if it does not contain “https’ in the URL. You can also confirm the website is secure by checking if there is a padlock next to the URL.

2. Keep your phone number and company emails as private as possible

• Having a small surface area will lower the chance of an attack
• Limit who can publicly view contact information on websites such as LinkedIn.
• Remove any older accounts from websites you don’t use. This can include social media, shopping marketplaces, and other web service accounts.

3. Ensure your devices are up to date regularly

• For some users, smaller security updates may feel less important to immediately install. However, these updates can provide protection against potential data breaches.
• When installing a new update, make sure to check the patch notes for any known vulnerabilities that might have been recently discovered.

4. Enable 2FA (Two-factor authentication) when possible

• One of the best methods for preventing phishing attacks is enabling two-factor authentication on your accounts. This provides an extra verification layer when accessing sensitive applications. The recommended 2FA method is using authenticator apps such as Microsoft Authenticator and Google Authenticator. These apps will rely on users to enter their username and passwords, as well as a generated code that will be accessed using a secondary device (usually a smartphone). We recommend using authenticator apps over SMS authentication, for SMS authentication is one of the least secure methods available.
• Two factor authentication also works as a security alert for attacks that may fly under your radar. When credentials are possibly compromised, you may receive an alert from your 2FA provider. This is helpful to become more aware of each attack.

5. Conduct regular data backups

• Even with proper employee education, you may still fall victim to a phishing attack and let your data become compromised. In order to ensure that you can recover properly, take regular backups of your files. Backing up to your company’s cloud provides some of the best protection against data breaches, for you can recover what was lost.

I may have been targeted by a phishing scam, what do I do?

1. Do not click anything, contact the head of your security department and let them know you might have been a victim of a phishing attack.
2. Disconnect yourself from the network you are using. This could protect other devices currently connected to your network.
3. If the attacker is impersonating someone within your company, contact them using a trusted form of communication to check the validity of the message.
4. Change the passwords on all of your compromised accounts. If you use the same password for different accounts, change them to unique passwords each.
5. If the attack involves the loss of money or identity theft, immediately contact local authorities and provide them with as much information as you retain.

Phishing scams are a serious threat to you and your organization. With proper onboarding, you can protect yourself from devastating data loss results. Attacks will constantly change and it is important to play a defensive role by becoming aware and knowing what to look for. To learn more about the steps we take to keep our users secure at Botsplash, visit our security page or reach out to us for more information.