A friendly, year end, anti-phishing refresher


With the end of the year coming and with the increase in phishing attempts due to the holidays, we thought it would be a good time to post this refresher on phishing, and the things you can do to protect yourself from it. In this post, we’ll discuss what phishing is, how it works, and what you can do to protect yourself and your organization from these types of attacks.

What is phishing?

Phishing is a type of cybercrime in which attackers send fake emails or texts, or create fake websites, in an attempt to trick people into giving them sensitive information such as passwords, bank account numbers, or credit card details. These attacks often appear to come from legitimate sources, such as banks, government agencies, or well-known companies, and are designed to look and feel authentic.

One common type of phishing attack is called “spear phishing,” in which attackers target specific individuals or organizations and craft their attacks to appear as if they are coming from someone the victim knows or trusts. For example, an attacker might send an email to an employee of a company, pretending to be the CEO, and ask for login credentials or sensitive financial information.

Attackers can also send URLs that are mistyped, commonly referred to as “typosquating”.

For example typosquat-example

These site addresses look correct at first, but when strictly evaluated have almost imperceptible spelling typos that direct victims to the attackers website. These sites can look exactly like the legitimate websites , but are fakes that can trick victims into entering sensitive data, or can use malware, to infect a victim’s device and steal sensitive information.

How does phishing work?

Phishing attacks most often rely on social engineering tactics to convince victims to give away sensitive information. These tactics can include creating a sense of urgency or fear, using language or tone that is persuasive or threatening, or pretending to be someone the victim knows or trusts. Using these tactics, attackers create an illusion of legitimacy that gives victims a false sense of security, and causes them to visit phony web sites, respond to questionable email or install software that they would otherwise know was harmful.

What can you do to protect yourself from phishing attacks?

Here are eight quick tips you can use to protect yourself and your organization from phishing attacks:

  • Be cautious of emails or texts that ask for personal information or login credentials. Legitimate organizations will never ask for this information via email or text.
  • Be suspicious of emails or texts that contain urgent or threatening language. This is a common tactic used by attackers to create a sense of urgency or fear.
  • Check the URL of websites you send personal information to and ensure they are correct. Also, look for the padlock icon in the address bar to confirm the site is secure.
  • Use strong, unique passwords: Use a password manager to create strong, unique passwords for all of your accounts. This will help protect you from being hacked if one of your passwords is compromised.
  • Check the sender’s email address before clicking on any links or replying with any information. If the email appears to be fake, do not interact with it.
  • Use spam filters and antivirus software to protect your email and devices. These tools can help to prevent phishing attacks from reaching you and can alert you to any suspicious activity.
  • Enable two-factor authentication on your accounts. This adds an extra layer of security by requiring you to enter a code sent to your phone or email in addition to your password.
  • Educate yourself and your employees about phishing attacks. Regularly remind employees to be vigilant and encourage them to report any suspicious activity to IT or security staff.

By following these steps, you can help to protect yourself and your organization from phishing attacks and other types of cybercrime. Remember to always be cautious when interacting with emails or websites and to report any suspicious activity to the appropriate authorities.