Phishing 101: Protection for Everyone
Every October, we celebrate National Cybsersecurity Awareness Month (NCSAM). This NCSAM, the five weeks of October are focused on five separate cybersecurity themes: simple steps to online safety, cybersecurity in the workplace, prediction for tomorrow’s internet, consider a career in cybersecurity, and critical infrastructure. Cybersecurity still seems like a foreign and daunting subject for many businesses. Cybersecurity, however, is an increasingly important topic for everyone to understand, and NCSAM is the perfect opportunity learn.
At Cisco, we love NCSAM! As cybersecurity experts, we are here to help provide awareness to both businesses and individuals. Cybersecurity is not just for businesses. Everyone who connects to the internet of things needs to be aware of cybersecurity. For this reason, week one of NCSAM focuses on simple steps to online safety. While there are many steps individuals can take, we want to prioritize email security. More specifically, individuals need to understand the dangers of phishing attacks.
What is Phishing?
Phishing is the malicious practice of sending fraudulent communications that appear to come from a reputable source with the intent to steal sensitive data or install malware. It is usually done through email. These attackers are very clever. Sophisticated social engineering attacks can look identical to emails that users frequently receive from their banks, employers, etc. Within a phishing email, there will be a call-to-action to click a link or provide credentials. Simply clicking the link can authorize the installation of malware.
How do I defend myself?
Typically, email security requires two components: a multi-layered threat defense and user education. For businesses, they may have thousands of users capable of falling for a phishing attack. Businesses can invest in multi-layered solutions. A sophisticated email security solution paired with advanced malware protection (AMP) and ransomware defense measures can protect them. For individuals looking for security at home, they probably cannot go buy commercial grade solutions. Educating themselves on phishing, however, can go a long way in protecting their devices from theft.
Here are a few tips for individuals that are concerned:
- Prior to clicking any link in your email, verify the domain name. Make sure it comes from the source it claims to be. In the 2018 Cisco Annual Cybersecurity report, there were 101,934 total phishing URLs and 8,445 total phishing domains in March 2017. Rather than Cisco[dot]com, it may actually be Cisc0[dot]com.
- Ask “Does this make complete sense?” Attackers try to prompt attacks by claiming a victim won a sweepstakes or some other competition. They require immediate action with a click to claim your prize. Before acting, ask if it makes sense. If you never entered a sweepstakes or competition, it is probably fake.
- Call to confirm. Some phishing emails will disguise themselves as your bank or insurance companies requiring information or a call-to-action. Some might claim there was a breach, and they need information from you to act. Before providing any information, dial your bank or insurance representative and ask them. If there is an emergency, they will know.
- Adjust email filters. If you do recognize a phishing attempt, be sure to filter the email out. Do not respond. This simply confirms your email. Rather, just flag as spam so that you do not see any more emails from that domain.
- If you clicked the link, contact a security professional. If you did fall for a phishing attempt, consider calling a security professional. The cost of some help is negligible compared to the damage of someone stealing bank information.
Always be ready
For individuals, these simple steps can help protect you. They are not a complete solution, but they are helpful. Continue to learn about practices that can increase the cybersecurity of your household. If you have additional questions, reach out to a security professional.
For businesses, educate your employees on simple tips like these. Just know these are not sufficient for a business. Even small businesses have numerous more access points to their network. The attack surface of a business is much greater than a home, so businesses must deploy a multi-layered threat defense. With Cisco Advanced Phishing Protection, you can stop identity deception based attacks such as social engineering, forged email, and business email compromise. Combined with Cisco Talos threat intelligence, Cisco Advanced Phishing Protection uses advanced machine learning techniques to bring trust to your organization’s inboxes.