Today, I want to talk about a piece of security that is getting hit harder than before: phishing and whaling.
Often times when people think of information security, they think of all these technical controls like buying this next gen firewall and state of the art IDS, but as you come to find out, it’s often people that are the weakest link in security. And with people, you can’t just magically buy some hardware to fix them.
People require training and reminders to stay aware. It’s not a one-time thing that you tell a user and expect them to be perfect. But we’ll cover a bit of that later in this post.
For now, let’s talk about phishing. Quoting Wikipedia,
“Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”
You know those e-mails that come from some Prince in Nigeria or those e-mails that ask you for your SSN or username and password? Those are phishing e-mails.
Phishing e-mails can sometimes be hard to spot. And along with phishing, there’s spear phishing and whaling. You may think to yourself that you’d never send your money to someone without calling, but you can’t expect the same from all your employees.
I saw this one Dilbert comic:
A phishing campaign isn’t going to trick everyone and the fraudsters know this. They only need to trick a few. Then they can make away with their “winnings.”
So, you can see why this is such a big matter to worry about. Now, let’s throw in a real world example to show you it happens in real life and can cause big damage.
In recent news, the City of El Paso was scammed out of $3.3 million in a phishing scam.
You can find the full story here:
$3.3 million isn’t exactly pocket change.
So…now…what can we do about it?
- Make sure the e-mail is coming from the correct location:
- Check headers.
- If requiring sensitive information or financial transfer, call to verify validity of the sender.
- Check for misspellings, bad grammar, and/or anything that looks fishy (phishy).
- If it looks like it is from a known site, instead of clicking the links provided in the e-mail, navigate manually to the site.
- Watch out for subdomains. www.walmart.fakedomain.com is not the same as www.walmart.com
Things to consider:
- Were you expecting an e-mail?
- Were you expecting an attachment? Attachments can have added malware on/in them.
- Is this information that the sender should really have?
Now, you should have a familiarity with phishing. This is the start. Continue to grow your security knowledge and awareness and help others do the same. The best way to stay secure is to continue to learn and do best security practices.
Keep your employees trained.