Learning Blog

Do Not Feed the Phish: Your Guide to Cyber Security

New Image 1

Phishing is a fraudulent attempt to gain access to someone’s personal information, like passwords or credit and debit card numbers. It is a crime by law, but unfortunately a large phishing ocean of cybersecurity hackers and imposters still exists, undeterred. Phishing can be broadly categorized as a type of identity theft involving the illegal use of your identity. Cyber thieves phish the Internet through the use of emails and sign-ups to fraudulent websites and pages.

During the routine course of your Internet browsing, you may land on a tempting offer, page, or website. This is the bait. Internet users may be enticed by anything from free software to appealing websites or the chance of winning a fortune. These, when clicked, redirect you to another page, which then might require you to sign up to gain any further access. It all seems innocent enough when you are asked for your social media information, your personal phone number, or email details. You are sure to receive prompts to click on malicious links that cunningly install system monitors, key-loggers, ransomware, or bots to your system, thus breaching all further activity and user data on that system.

Irrespective of whether you are an individual or part of a large organization, you can end up being a phishing target. Generally, phishing is pitched through emails, which often land in the spam folder but sometimes make it to the inbox. Attackers understand that even a statistically small successful click-through rate on their emails can lead them to sizable profits. For a better understanding, let’s look at this sample table, where we account for a minimum amount of phishing conversion:


So, out of the 72,035 phishing emails sent on January 1, there are 28 registrations. The phishing conversion rate may seem low, but each one of these conversions results in a good profit to the attackers. The access to email-IDs and personal information comes from different fraudulent websites, software, and pages where the user has signed up in the past.

New Image

The Wombat 2016 State of the Phish report suggests that 4/5 organizations have experienced phishing attacks, which represents some 80% of the market segment. The report further adds that such attacks and their frequencies are only increasing. Asserting a far more dire statistic than our chart above, the Wombat report affirms that out of the total users pitched by attackers, 85% reported being victims.

Tellingly, general awareness of phishing also remains low. In the US, 65% of people reporting a phishing attack had only heard of the term phishing, while 17% were wrong in their guess of what it could mean, leaving the remaining 18% with no clue at all.

It is also important to understand how phishing is successfully carried out by the attackers. According to Verizon 2016 DBIR, email attachments are the #1 delivery vehicle for malware, with web-driven by links at #2, and email links coming in at #3. Further, download by malware and network propagation share an equal incident count at #4 and #5. The Proofpoint Q3 2016 Threat Summary states that 97% of phishing emails delivered ransomware in Q3 2016.

Apart from common, individual email users, CEOs, CFOs, and other executives remain the biggest phishing targets for attack. Such attacks are referred to as spear phishing or whaling attacks, since high-ranking decision makers are prized for their access to sensitive corporate information as well as sign-off authority for wire transfers. Also, the executives can be easily targeted with a customized email (drawing data from their bio available online or LinkedIn profiles), which make the process more convincing and specific. An example of a phishing mail body is as follows:

Phishing Mail

How to Prevent Feeding the Phish

In order to avoid feeding the fish, here are a few key things that should be kept in mind:

Learn to identify possible phishing emails: These would probably contain a duplicate image of the real company, would have copied the name of a company or its employees, have sites with domain names similar to the real business venture, and would be promoting gifts or the loss of existing account information.

Check the source of information coming from incoming emails: Users must know that their banks would never request their personal banking information or passwords. Do not respond to such questions. Instead, if there is any doubt, the bank should be contacted immediately.

Beware of hyperlinks: These can land you on fraudulent web pages that work as a phishing trap. Generally, hyperlinks mentioning your bank or office should not be directly accessed through suspected emails, as these might land you on fraudulent webpages. Instead, type the correct URL directly into your browser.

Change your passwords periodically: Separate accounts should not be linked with a similar password. Also, you should consider changing your passwords from time to time.

Disable macros: Some ransomware that targets salespeople requires Microsoft Office macros to be enabled. Keeping these disabled across the network can keep a salesperson from enabling them accidently.

Avoid random signups: Sharing personal details across untrusted websites and pages should be strictly avoided. You should also refrain from downloading software from clients and unknown developers.

Add a runtime malware defense on top of the antivirus: Although antiviruses are designed to block malware from entering the system, almost 390,000 new variations of malware are created each day, and your antivirus will have a hard time blocking everything. Adding a runtime malware defense as an overlay to the antivirus stops incoming attacks from doing any damage to the user data and system.

Regularly update your software: All app developers constantly work to improve their cybersecurity. Thus, any available updates should be downloaded.

With these precautions, you can help avoid any malware breach into your system. By remaining alert to email phishing and website pitches, you can save yourself from falling prey to cyber attack. In order to gain a better understanding of cybersecurity, its threats, and attack prevention, you can also investigate these security courses.