Phishing is the type of a scam in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organizations to lure you or groups of people into providing sensitive information or network access. The lures can come in emails, text messages or phone calls. If successful, this technique could enable threat actors to gain initial access to your personal information or a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection or ransomware.
Don’t be a victim! You can prevent phishing success and limit its negative impacts, should initial access occur. Here’s how this adversarial technique works:
The Bait
Threat actors pose as friends, relatives, colleagues, acquaintances, or reputable organizations and solicit sensitive information or lure victims into downloading and executing malware. Bait typically consists of an email with a subject line that entices the user into opening the email, e.g., the subject line contains an alert, an action, a request for information or a prize or special offer—commonly a too-good-to-be-true offer.
The Hook
A single bite can lead to successful exploitation. Threat actors set multiple hooks to increase their chance of success and then wait for a victim to take the bait. A study conducted by the Cybersecurity and Infrastructure Security Agency (CISA) performed in government organizations and corporations revealed that the odds were high that at least one individual fell victim to a phishing attempt in a widespread distribution of the bait in large organizations. The study also found that 1 out of 10 persons activated a malicious attachment or clicked a malicious link.
The Catch of the Day
Threat actors are successful when individuals and companies have not properly protected their computers and networks. Some stats: 70% of all attached files or links containing malware were not blocked by network protection services. 15% of all malicious attachments or links were not blocked by endpoint protections set up to reduce the amount of malicious malware. 84% of employees took the bait within the first 10 minutes of receiving the malicious emails. And only 13% of targeted employees reported the phishing attempts.
How to fight Phishing
Block the Bait
Companies and individuals should ramp up strong network protections, firewalls and security software.
Companies can configure email servers to utilize protocols designed to verify the legitimacy of incoming emails. Individuals should take caution in opening emails from unknown sources be aware of how banks, government agencies and other organizations communicate with customers. And stop and think before possibly taking the bait from a tempting, but suspicious communication. A few seconds of thought may save you from a lot of repair work.
Don’t Take the Bait
Companies should educate employees to recognize common phishing ploys, and individuals should stay informed of new waves of phishing attempts by using the information provided by various groups and agencies that report new scams.
Report the Hook
Whether you’re in a corporation or at home you should always report scam attempts to the proper authorities, and take extra care not to forward the malicious emails to others.
The CISA conducts cybersecurity assessments for federal and critical infrastructure partners to reduce their vulnerability exposure and risk of compromise. To learn more about CISA services, contact central@cisa.dhs.gov.
