Updated: Nov 6, 2019
This is the 3rd post in our 2019 National CyberSecurity Awareness Month series.
At Cylidify, we try to solve problems versus being part of them — or creating new ones for us to solve. Some of the current cybersecurity "problems" revolve around proliferation of vendors and tools, the amount of information, and the general noise in the space. From panacea tools to "one size fits all" offerings, businesses and individuals have a lot to sift through! A key tenet of ours is providing tailored guidance and approaches for you or your business. At a minimum, this means basic interviews and due diligence but should also include additional time required to develop a shared understanding of your specific needs before deep guidance or engagement. [Again, there is no "one-size-fits-all" in cybersecurity or privacy!] Market, risk profile, IT/security maturity, scope/scale, and many other factors (regulations, information sensitivity, etc.) must be factored into any security or privacy approach. So, we'll keep this post on Phishing short and high-level, but with links to lots of freely available, quality information. However, we are available to help with Phishing training and implementations to fit your risk profile and needs including a fixed cost engagement to provide a basic assessment, report, training, and recommended follow-ups.
Wikipedia has a solid definition and great information on Phishing and it's various derivatives. To paraphrase, Phishing is "a fraudulent attempt to obtain personal or otherwise sensitive information from an entity or individual under the guise of being a trustworthy, known entity (i.e. spoofing)". Phishing attempts usually come through electronic means (websites, emails, txts, etc.), but can be initiated or augmented by phone calls or direct contacts. They constantly evolve to use new technologies and approaches to gain your trust and capture information. Most also involve some sort of social engineering in their spoofing utilizing information about you (either publicly available or gotten through nefarious means) all in order to steal information about you or your business. They use this information in follow-up Phishing attempts or in the chain of a larger attack with the end goal assume your identity for authentication and authorization to do nefarious things.
Usually, Phishing involves casting a broad net designed to catch as many people and as much information as possible. As follow-up to a broad Phish or for high-value assets, Spear Phishing may be employed simply a targeted and more personal approach. Where a normal Phish may look like an email from your bank or IT department requesting a password reset or a verification of your social security number, a Spear Phish may be a website or email crafted specifically for you. It can even be phone calls or direct contact depending on the situation. Spear Phishing is most common with executives or those with privileged access (e.g. administrators), but if the asset is attractive enough or there is enough money at stake, attackers are willing to invest the time and energy to do direct targeting.
Ransomware has been "popular" recently and Phishing is used to help the attacker get the malware introduced into your devices, or systems where you have access. If someone can assume your identity or permissions, even briefly, the results are "bad" ranging from annoying, a Facebook or Twitter take-over, to devastating, such as with Ransomware or where financial institutions or sensitive business systems are involved.
To combat Phishing, either personally and professionally, Cylidify recommends a balanced approach of education, processes, and tools.
Get educated on what Phishing attempts look like and how they are implemented. Be aware that it is not a matter of if, but when you will be Phished. Be wary and remember that vendors will never ask you for your password or PIN.
Know what to do to if you find something you think is a Phish or you have been Phished. Not getting caught is great but know how to respond appropriately and swiftly when you are caught is necessary also.
Utilize Multi-Factor Authentication (MFA). Even if someone has your credentials, if using them requires an additional factor of authentication (authenticator application, security key, phone call or txt, etc.), you will have another layer of protection as well as awareness about the attempt so that you can respond.
Tactically invest in tools that have the agility to keep up with the attackers. Email systems that actively block or tag emails which might be Phishing, sanitize links, and scan/quarantine attachments, or browsers that tag sites as suspect or insecure (e.g. not HTTPS), can be invaluable.
Depth and breadth of information: https://www.phishing.org/what-is-phishing
A more personal take from the FTC: https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Tools and platforms: