Phishing: need some reminder!

Phishing is one of the most well-known attack methods today and is behind some of the most publicized security breaches.

We talk about phishing when a potential victim is contacted (email, phone or SMS) by a cybercriminal pretending to be a legitimate institution or person. The principle is based on the fact that the victim is asked to provide sensitive information (credit card numbers, usernames, passwords, etc.). To achieve this, the hacker may request an email or text response, or request to click on a link that leads to a fake landing page that attempts to collect credentials or load malware into the system.

Why do attackers use phishing?

These phishing communications appear legitimate, and fool people, both novices and IT professionals. Attackers mainly use phishing to steal money or data. However, some cybercriminals are increasingly using phishing to impersonate people who have access to coveted networks or systems, by obtaining login credentials for their work accounts, for example. Several recent cases have shown that some hackers who obtained usernames and passwords of employees, gained unauthorized access to internal systems. Once in the system, hackers can easily impersonate legitimate users, it is difficult to remove them.

Malicious actors can also use a phishing attack to infect a device with malware and trick someone into clicking a link. Once the malware is installed on the device, it’s game over. If the affected company does not have up-to-date security policies, this malware can move from device to device, deploy other malware, steal sensitive information, enroll devices in a botnet, or even send spam from the victim’s email.

How do I know if I’m the target of a phishing campaign?

Phishing is very effective because it attacks people directly. The malicious actor is not trying to trick a system or circumvent a security policy, he is trying to trick individuals. Phishing has several key characteristics:

  • It’s too good to be true: “You won 10,000 euros, send us your bank details so we can make the transfer”. If it seems too good to be true, it isn’t.
  • The sense of urgency: “Without an immediate response from you, your bank account will be suspended.” Remember that it is very rare to have to do something immediately or face direct consequences. Hackers can send security alerts like “We’re having a problem with your account, click here to verify your information.”
  • Hyperlinks: “Click here to contact us and solve the problem”. This method manages to trap many people. Generally, a clickable button is available to help you “do the process”. Hovering over said button with your mouse lets you see where it takes you. It is advisable to always check this before clicking.
  • Attachments: “Download here”. An email can feel like it’s trying to provide information rather than trying to persuade the person to provide it. Attachments may contain malware aimed at infecting devices.
  • Something looks suspicious: The fact that there are spelling mistakes in the message or that the email address is incorrect, are signs of potential phishing attempts. However, malicious actors pay more attention to spelling or syntax errors.

How can I protect myself from phishing campaigns?

There are several ways to help combat phishing attacks. First, it is about NEVER clicking on anything until you are 100% sure of the identity of the sender. This may sound like common sense, but it is the first step in many ransomware attacks, DDoS botnets, or the first level of security breaches. If a person is unsure about anything, they should contact the suspected sender directly, via phone, new email, text or instant message, and ask if they have actually tried to contact them. .

If someone receives a phishing message at their workplace, they should contact their IT team: other employees may have contacted the same message and the security system may be updated to contain the message. harmful junk mail.

Company leaders should try to provide security awareness training to employees. Market players can help empower teams to proactively identify, act on, and respond to security threats through cybersecurity awareness training. Security is everyone’s business today, and we all need to be equipped to know how to protect ourselves.

Leave a Reply

Your email address will not be published. Required fields are marked *