Recognizing And Minimizing Phishing Exploits

Social Engineering – Recognizing Phishing / Whaling attempts

 

 

What is Phishing?

Phishing is the act of fraudulently contacting multiple individuals or companies, in an attempt to obtain unauthorized access to sensitive and/or personal information. Phishing is a broad attack, using general information to elicit a response from a targeted entity rather than specifically targeting any one individual. Using generalizations in the attempt allows the attacker to seem trustworthy through familiarity without having any specific details about the targeted entity. The request to obtain information may seem trivial at the time, but any information obtained could be used later in an attempted theft of a victims actual important information. Successful Phishing attempts may lead to Spear Phishing attacks.

 

---

What is Spear Phishing?

Spear Phishing is the targeting of a specific individual in the hopes of obtaining sensitive and/or restricted information. Similar to Phishing, but this attack is targeted to a specific entity that the attacker already has some level familiarity with. Attackers may use information obtained through a Phishing attack and will usually already know the name, address, email and phone number of the victim prior to the initial contact. A Spear Phishing target can be given seemingly confidential information to build a trust relationship with the target. This information usually comes in the form of a seemingly trustworthy source prior to any information being requested, and ultimately leads to data theft. Successful Spear Phishing attacks may lead to Whaling attacks.

 

---

What is Whaling?

Whaling is a term used for corporate level Phishing attempts. Taking the Spear Phishing approach to a higher level, Whaling targets are usually in upper level management or hold access to very valuable restricted information. Many of the same Spear Phishing tactics are used in Whaling attempts, but the attacker will be very familiar with the target prior to making contact. Communications will appear highly professional.

 

---

What can I do to help protect myself from Phishing exploits?

1. Don’t respond to any e-mails that request personal and financial information. Contact the company directly if you are suspicious of an e-mail
2. Visit websites directly through the browser URL bar, not via links in an email
3. Keep a regular check on your accounts and don’t recycle passwords
4. Make sure any web site requesting personal information is secure. https should be at the beginning of the Website URL address on any site where you enter personal information. The "s" in https stands for secure. If you don't see https, it is not a secure site, and you should not enter sensitive information
5. Help keep your computer secure by using up-to-date security, malware and anti-virus software's
6. Avoid entering personal or financial information into pop-up windows since they are not always secure
7. Keep your Microsoft® Windows® software up to date with automatic Windows Update
8. Don't open unexpected file attachments received in e-mail. Similar to fake links that redirect to an attackers resource, attachments are often used in fraudulent e-mails and can be dangerous. Opening an attachment in a phishing e-mail could cause you to download spyware or a virus
9. If in doubt always request, and validate the credentials of the person and/or company that is contacting you. Again, contact the company directly I you have concerns rather than responding to a request for information
10. Links like www.faceb00k.com should not be misread as www.facebook.com. Validate the legitimacy of links by ensuring the link is genuine and has not been slightly altered to resemble a familiar website while actually redirecting to a malicious website. Common substitute values include "O" instead of "0" , " 1" instead of " l " or " 8 " instead of " B ". If in doubt, double check before providing secure credentials

 

 

---

 

 

 

No cause associated.

No resolution associated.