Phishing is a social engineering attack, one that doesn’t attempt to hack a computer system but attempts to hack a person.  Phishing is a type of attack that attempts to get a person to unknowingly take a malicious action.  Phishing is an unsolicited communication via email, text (SMS), or voice (over the phone), examples of each:

• Email – Over time everybody has seen the different types of emails that appear like they are coming from someone within their organization, or someone they know, but are really from a fake account.
• SMS/Text (Known as Smishing) – Over the past few years there has been an increase in the number of text messages that purport to be from a bank, shipping company, or other trusted entity that include malicious links.
• Voice (Known as Vishing) – Includes those calls purporting to be about your extended car warranty, activity on your credit card, or from “tech support” just looking to help with a problem on your computer you didn’t know you had.

The goal varies but may include getting you to install malicious software (Malware) onto your computer, enter your credentials on a site where they can be stolen, or to transfer funds to criminals.

Common terms related to phishing:

• Spear phishing – A phishing attack that is customized to target an individual(s), usually because of their role (i.e., finance, HR, IT admins). Attacker will use publicly available information in their customization.
• Whaling – Advanced type of spear phishing that targets individual(s) because of their high rank, typically members of the C-suite. Attacker may spend weeks or months gathering information about their target to provide a convincing attack.

Recognizing Phishing

The first step in recognizing phishing is being aware that these types of attacks exist and that they target everybody.  Once you are aware that you are constantly a target you can start looking for the phishing attacks that are coming your way.  Phishing usually contains red flags that should raise suspicion and cause you to proceed with additional caution.  The largest red flag is that the communication was unsolicited.  The attacker wants you to perform an action so they initiate the conversation.  They will introduce a problem you did not know you had and a solution to this problem (how convenient!).

These unsolicited communications will be from someone you do not know, even though most times they are spoofed to appear to be from someone you do know.  Be sure to check the “From:” field in the email carefully to make sure the email address of the sender is correct.  If it says the email is from (person you know) with a random Gmail address it is not actually from that person.  Also, look out for fake domains with extra, missing, or swapped out characters.  An email from dopklns.com may look legitimate but a closer look will reveal the lower case “L” rather than an “i” in the name.  This can be done with any company and is done frequently with larger corporations like GoogIe, Microsft, Amaz0n and more. (Did you catch the misspelling in each of those?)

This offered solution leads you to the action they want you to take (click a link, type your password into a website, send money, etc.).  With this action is a false sense of urgency that a negative consequence will occur if the action is not taken soon.  If you do not reset your password in the next 4 hours you will be locked out, click the link to set a new password or Your service will be discontinued if you do not renew by the end of the day, renew at this link.  Other red flags may include: links that don’t go where they state, requests for sensitive information, offers too good to be true (lottery winner, inheritance), and poor formatting/grammar.

Reporting Phishing

Just recognizing phishing is a large task, but is only the first half of this action step.  Once phishing is recognized it cannot be ignored.  Each organization must have a policy and method to report phishing attacks.  Reporting the attacks potentially allows IT staff to block the sender so the same attack does not get to other employees.  They can also follow-up with any employees that did already receive the phishing attempt.  Reporting methods will vary by organization but may include emailing an IT contact/helpdesk, emailing a specific phishing address, calling IT/helpdesk, manually opening an IT support ticket, or adding a button to Outlook that handles reporting the email.  You should make sure you are aware of your organization’s policy for reporting phishing attempts.  If you are responsible for the policy, you should make sure it exists, is updated, and is communicated to your employees.

Barriers to Implementing

If you did not previously know what phishing is and how to recognize attempts, it is very likely the same for your employees.  And even if you did, how confident are you that every employee understands and can recognize phishing?  Providing training to employees is vital.  This training should be offered to all employees when they are hired (or when the program is first implemented) and on an on-going basis.  Recurring training allows updates to be provided as the landscape changes and also acts as a way to keep the reality of phishing at the top of employee’s minds.  Many training platforms include simulated phishing tests which give employees an opportunity to see examples of phishing.  If you are already providing training to employees (or once you implement it) then you can move on to establishing a method for reporting.  Most platforms that offer simulated phishing tests also offer a solution for reporting phishing attempts.  It is then up to you to decide where these reports go and how they are handled.  Technology exists that will automatically react by blocking sources of phishing and can even remove emails from inboxes.  Without this technology there should at least be a policy to manually react to reported phishing.

Check out our Cybersecurity Awareness Month 2022 page for more resources.