Phishing is back on the rise, with this year’s focus switching from individual targets to organizations. With that shift, the phishing campaigns are becoming more sophisticated, using HTTPS encryption to prevent detection, and preying on brand trust and social media to keep users’ guard down. As we become inundated with new cloud applications and services, it is easy to become numb to new login screens, or tiny changes to brand logos and phrases that may have once caught your eye.
These phishing campaigns are no longer easy to spot due to broken English (or Spanish, German, etc.), and have become exceptionally well written. Moreover, links provided in online advertisements, Snapchats, Facebook, Twitter, or other platforms are equally open to abuse as traditional email. Therefore, it is important to reflect on a few simple rules to stay safe when using communication tools:
- Do not click on links from sources you do not recognize. If you would like to visit the site, either hover over the link to make sure it goes where the link text suggests it will, or copy link text and paste it into a browser yourself.
- Even if you do recognize the sender, be mindful of opening attachments or links you were not expecting. After all, it is unlikely your friend or colleague really is trying to share $1,000,000 with you.
- When in doubt, pick up the phone and call the other party. Do not use the number they provide to you, but use your favorite search engine to lookup a number you are unsure of, or use your local contact information.
- Use two-factor authentication (TFA) wherever you can. TFA will protect you in the event your password is stolen or compromised, because it requires the use of a software or hardware token (i.e. factor) to complete your login, which is something the attacker will not have. Many of the popular online services support TFA now, and it is very convenient to use.
- Keep your software and operating system up to date, and enable the native security controls like disk encryption, password protected screensavers, and event logging. The majority of successful attacks leverage software vulnerabilities that have been known about for more than six months.
For those that would like to read more about phishing, the US Federal Trade Commission has an excellent article posted on their website.
Post Date: 5/31/2018