If you want to catch a fish, you need to have necessary tools like a fishing pole, bait, and hooks. You also need to go to a fishing spot. Catching a fish requires time, energy, and physical exertion.
Phishing—a social engineering attack used by cyber-attackers to solicit your personal information—does not require any physical activity or long hours of work. Phishing is a popular method for cyber-attackers to solicit personal information and use it for malicious intent. Phishing is a profitable business and only getting bigger. In 2015, the Ponemon Institute calculated the cost of a phishing incident to be approximately $3.7 million per incident. Bottom line: Phishing is a significant issue.
The first week of National Cyber Security Awareness Month at UALR is dedicated to preventing damage from phishing attacks.
What is phishing?
Phishing is an attempt to trick you into taking an action that can put your information at risk. Originally, phishing referred to email attacks which were targeted at stealing your online username and password. However, the term has evolved and now refers to almost any message-based attack via email, instant messaging, or social media posts requesting some form of personally identifiable information. These attacks begin with a cyber-criminal sending a message pretending to be from someone or something you know such as a friend, your university, your employer, your bank or well-known store. The design of messages can vary—some are easy to recognize as phishing, while others require some deeper investigation—and such messages may, on the surface, look completely legitimate.
These messages entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam. Cyber-criminals craft convincing-looking emails and send them to millions of people around the world. The criminals do not know who will fall victim, they simply know that the more emails they send out the more people they will have the opportunity to hack.
Why should I care?
You should realize that you are a very valuable phishing target while at the university, at work, and at home. Your devices and information are worth a tremendous amount of money to cyber-attackers and they will do anything they can to hack them. According to a Cyber Threat Alliance report, Crypto Wall Version 4—a well know data encryption attack distributed and initiated by phishing emails—victimized more than 36,000 organizations. Symantec also reported that more than 430 million new pieces of malware were detected in 2015.
What is spear phishing?
The concept is the same as phishing except that instead of sending random emails to millions of potential victims, cyber-attackers send targeted messages to a very few select individuals. With spear phishing, the cyber-attackers research their intended targets, reading the intended victims’ LinkedIn or Facebook accounts or any messages posted on public blogs and forums. Based on this research, attackers then create a highly customized email that appears relevant to the intended targets and increase the likelihood that individuals fall victim to the scam.
How to detect a phishing attempt
When you receive an unexpected email, follow these steps to determine whether or not it is a phishing attempt.
- Check the sender’s email address.
- This is one of the most important indicators of a phishing email. For example, if you receive an email from one of your colleague, make sure the email address ends with “@ualr.edu”. The address must also contain the correct user name of your colleague. If the address is different then a legitimate ualr.edu address, discard the email without taking any additional action.
- Check the grammar of the message.
- Many attackers use bad grammar. This is another indication for a phishing attack.
- Look for generic salutations.
- Although spear (targeted) phishing attacks may use specific names or salutations, phishing messages often use generic salutations like “Dear Customers”, “Dear Students”. Look for other suspicious phrases like “Immediate/immediately”, “immediate action”, “required”, “very important”, “do not disregard”, “password”, or “account”.
- Check the link before clicking it!
- Most phishing messages contain a link in the message. Do not click any link in an email unless you are certain it is a valid link. If you are still not sure whether the message is a phishing attempt, open the message on a desktop computer and hover your cursor over the link without clicking it. This should display the actual address that the link would take you. If the link looks suspicious or does not match what you expect, do not click the link.
- Be wary of opening attached files.
- Some phishing messages contain an attachment. Do not open any attachment unless you are certain the email is legitimate. In addition to identity theft attempts, attachments may contain malicious code that could infect your system.