Let’s go Phishing.

Security No Comments

phishing

noun

  1. The act of sending email that falsely claims to be from a legitimate organization. This is usually combined with a threat or request for information: for example, that an account will close, a balance is due, or information is missing from an account. The email will ask the recipient to supply confidential information, such as bank account details, PINs or passwords; these details are then used by the owners of the website to conduct fraud.
  2. The act of circumventing security with an alias.

If you read my previous post (Cybersecurity prevention is like Whack-a-mole) you would have seen that a large part of defending your organisation against malicious people and organisations comes down to people and having the knowledge and awareness to be able to assess suspicious activities.

The methodology of phishing is not new. In the late 90-ties there were already incidents whereby infected emails made it into organisations causing security breaches. The countermeasures that could be put in place back then were more of a technical kind, where email servers and antivirus software could intercept this kind of emails, stopping it in its track. A phishing campaign these days is more targeted to circumvent security measures by luring unsuspecting people into digital traps providing detailed information and possibly even credentials to be able to circumvent any measures that have been put in place to prevent this from happening.

There are two ways this can happen. Either via, so called, social-engineering or by luring people into clicking links and filling out forms. The social engineering part often happens via “cold-calling” methods and trying to establish some sort of trust with the person in question. As soon that is established, various forms of questions can be expected to obtain more information around personal and financial details. At some stage when a scammer is able to obtain the required information he needs, there are a variety of ways things may play out but in essence it will mostly comes back to trying to extort money from the victim.

When it comes to phishing emails, the trick is to try and understand the email that is sent to you and see if it makes any sense. If you’ve never dealt with payment providers such as Western Union or are not a customer of a certain bank, any email that apparently seems to originate from these organisations are most likely phising attempts. The only way to handle this is to simply delete them or report them as spam with your provider. Some providers do have that option, but most have not.

Another way to handle these emails is to use a provider that specialises in this. EvL Consulting has teamed up with KnowBe4 who is the market leader in analysing phising emails, creating advanced rulesets around them by utilising ML technology and integrating these into your email solution provider like Google or Microsoft.

The phishing tactics are then also directly sent to the training section, so it can be used as an awareness campaign for your employees. This not only provides you a option to detect and prevent phising email from having an adverse effect on your organisation, but also a way to elevate the knowledge level of your employees to help fend off these criminals.

Try your phishing resilience over here. (If you’re located in the EU click here, oder im falle Sie sich in Deutschland begeben klicken sie bitte hier.) This is a great way to start analysing the susceptibility of your organisation and move towards a significant improvement in your cyber-security posture.

Kind regards,
Erwin van Londen

Print Friendly, PDF & Email

Subscribe to our newsletter to receive updates on products, services and general information around Linux, Storage and Cybersecurity.

The Cybersecurity option is an OPT-OUT selection due to the importance of the category. Modify your choice if needed.

Select list(s):