See Yourself in Cyber: Recognize and Report Phishing

October 20, 2022 | Authored by Patrick M. Rost, CISSP, CMMC-AB RP

October is Cybersecurity Awareness Month: Here’s 4 Things You can do

text boxes showcasing the 4 steps everyone should take:Enable Multi-Factor Authentication Use Strong Passwords Recognize and Report Phishing Update Your Software

For the past 19 years, October has been recognized as Cybersecurity Awareness Month in the United States.  This year the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have collaborated to create a campaign designed to provide information and resources to help educate the public.  Their campaign theme, “See Yourself in Cyber,” reinforces the human element of Cybersecurity.  With this campaign they have established four things you can do to increase your Cybersecurity posture.  To support this campaign Dopkins & Company has released a weekly blog discussing each of these topics:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords
  3. Recognize and Report Phishing
  4. Update Your Software

Get a printer-friendly PDF of all 4 articles here.

While reading these blogs keep the theme (See Yourself in Cyber) in mind.  Each of these key action steps is something YOU can do to increase Cybersecurity at home, work, and school.  While each blog will discuss the actions individuals should take, they will also touch on how businesses can help their employees succeed with each action.

You can view the campaign directly on CISA’s website at https://www.cisa.gov/cybersecurity-awareness-month.

Defining phishing

In 2021 Phishing was the second most frequent and second most costly initial attack vector. In addition, 91% of successful data breaches started with a spear phishing attack.

Phishing is a social engineering attack, one that doesn’t attempt to hack a computer system but attempts to hack a person.  Phishing is a type of attack that attempts to get a person to unknowingly take a malicious action.  Phishing is an unsolicited communication via email, text (SMS), or voice (over the phone), examples of each:

  • Email – Over time everybody has seen the different types of emails that appear like they are coming from someone within their organization, or someone they know, but are really from a fake account.
  • SMS/Text (Known as Smishing) – Over the past few years there has been an increase in the number of text messages that purport to be from a bank, shipping company, or other trusted entity that include malicious links.
  • Voice (Known as Vishing) – Includes those calls purporting to be about your extended car warranty, activity on your credit card, or from “tech support” just looking to help with a problem on your computer you didn’t know you had.

The goal varies but may include getting you to install malicious software (Malware) onto your computer, enter your credentials on a site where they can be stolen, or to transfer funds to criminals.

Common terms related to phishing:

  • Spear phishing – A phishing attack that is customized to target an individual(s), usually because of their role (i.e., finance, HR, IT admins). Attacker will use publicly available information in their customization.
  • Whaling – Advanced type of spear phishing that targets individual(s) because of their high rank, typically members of the C-suite. Attacker may spend weeks or months gathering information about their target to provide a convincing attack.

Recognizing Phishing

The first step in recognizing phishing is being aware that these types of attacks exist and that they target everybody.  Once you are aware that you are constantly a target you can start looking for the phishing attacks that are coming your way.  Phishing usually contains red flags that should raise suspicion and cause you to proceed with additional caution.  The largest red flag is that the communication was unsolicited.  The attacker wants you to perform an action so they initiate the conversation.  They will introduce a problem you did not know you had and a solution to this problem (how convenient!).

These unsolicited communications will be from someone you do not know, even though most times they are spoofed to appear to be from someone you do know.  Be sure to check the “From:” field in the email carefully to make sure the email address of the sender is correct.  If it says the email is from Patrick Rost with a random Gmail address it is not actually from me.  Also, look out for fake domains with extra, missing, or swapped out characters.  An email from dopklns.com may look legitimate but a closer look will reveal the lower case “L” rather than an “i” in the name.  This can be done with any company and is done frequently with larger corporations like GoogIe, Microsft, Amaz0n and more. (Did you catch the misspelling in each of those?)

This offered solution leads you to the action they want you to take (click a link, type your password into a website, send money, etc.).  With this action is a false sense of urgency that a negative consequence will occur if the action is not taken soon.  If you do not reset your password in the next 4 hours you will be locked out, click the link to set a new password or Your service will be discontinued if you do not renew by the end of the day, renew at this link.  Other red flags may include: links that don’t go where they state, requests for sensitive information, offers too good to be true (lottery winner, inheritance), and poor formatting/grammar.

Reporting Phishing

Just recognizing phishing is a large task, but is only the first half of this action step.  Once phishing is recognized it cannot be ignored.  Each organization must have a policy and method to report phishing attacks.  Reporting the attacks potentially allows IT staff to block the sender so the same attack does not get to other employees.  They can also follow-up with any employees that did already receive the phishing attempt.  Reporting methods will vary by organization but may include emailing an IT contact/helpdesk, emailing a specific phishing address, calling IT/helpdesk, manually opening an IT support ticket, or adding a button to Outlook that handles reporting the email.  You should make sure you are aware of your organization’s policy for reporting phishing attempts.  If you are responsible for the policy, you should make sure it exists, is updated, and is communicated to your employees.

Barriers to Implementing

If you did not previously know what phishing is and how to recognize attempts, it is very likely the same for your employees.  And even if you did, how confident are you that every employee understands and can recognize phishing?  Providing training to employees is vital.  This training should be offered to all employees when they are hired (or when the program is first implemented) and on an on-going basis.  Recurring training allows updates to be provided as the landscape changes and also acts as a way to keep the reality of phishing at the top of employee’s minds.  Many training platforms include simulated phishing tests which give employees an opportunity to see examples of phishing.  If you are already providing training to employees (or once you implement it) then you can move on to establishing a method for reporting.  Most platforms that offer simulated phishing tests also offer a solution for reporting phishing attempts.  It is then up to you to decide where these reports go and how they are handled.  Technology exists that will automatically react by blocking sources of phishing and can even remove emails from inboxes.  Without this technology there should at least be a policy to manually react to reported phishing.

Check out our Cybersecurity Awareness Month 2022 page for more resources.  If you would like to have a conversation about implementing phishing recognition and reporting training at your business contact Patrick Rost, CISSP [prost@dopkins.com].

About the Author

Patrick M. Rost, CISSP, CMMC-AB RP

Patrick assists clients with improving their cyber security from a technical perspective. With nearly 10 years of information technology experience in a variety of industries, he is well-suited to assist clients in implementing, maintaining and protecting their computer networking environments.

Do What You Love.
Love What You Do.

It’s about balance. The variety and quality of the clients, along with access to the latest technology and business information keeps the work interesting.

Learn More
Three Dopkins Employees

Opportunity Awaits

Take your career to the next level at Dopkins

Learn more