{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1100px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

What Every Business Should Know About Phishing (Part 1)

by Jason Blalock on October 4, 2018

phishing compromising devicesAre you educating your workforce about the potential for phishing scams, and how to avoid them?  If not, you're leaving a gaping hole in your IT security which no piece of hardware could ever plug.

Interested in learning more ways to protect yourself from Phishing?  Download our guide "How to Identify and Prevent Phishing" here.

"Phishing" refers to any sort of online scam aimed at tricking people into giving up personal information or critical data such as their usernames/passwords.  It's a 21st Century variation on classic con jobs, and it works.  Phishing is one of the most dangerous and successful forms of online fraud out there.  And just about anyone can be targeted: major political partieslarge corporations, open source projects, and more.

In this series of articles, we'll be taking a look at different types of phishing, and how to protect yourself - and your workforce - from them.

Stop the PhishingKnow Your Phishing Attempts! (Part 1)

1 - Basic Phishing

The most typical phishing attack runs something like this:  The attacker starts by impersonating a website, downloading all its content and creating a mirror, but on a domain they control.  That domain will necessarily be misspelled or false in some way, like someone impersonating us might try to set up a site at "www.humingbirdnetworks.com".  Then they send official-looking emails from that site, talking about some vague security concerns, and telling users to log into their accounts - with links to the fake site.

If anyone falls for it, the attackers have now learned their usernames and passwords.  Plus, given how often people reuse login credentials, one login becoming compromised can often compromise many more accounts.

Fortunately, these types of attacks tend to be pretty easy to spot.  Their warnings are vague, and the URL will always contain some "giveaway" that it's not legitimate.  When in doubt, visit the website in question via an independent web search, and contact them directly from there to inquire about the veracity of the email.

2 - Spear Phishing

The basic phishing attack is usually broad spectrum, targeting thousands or millions of email addresses in hopes of finding a few suckers.  Spear phishing, on the other hand, is precisely targeted at individuals. 

The overall goal is the same: trick people into giving up critical info.  However, spear phishers will attempt to boost the plausibility of their scam by incorporating information about the target that's been gathered via other sources.  This can be very easy for attackers, given how often people over-share sensitive information on social media.  They pretend to be a friend, coworker, someone who "met you at a conference", etc. and work the con job from there.

The best way to protect against spear phishing is to be vigilant about not putting personal information on social media.  Also, always be wary whenever someone ever wants you to log into a website.

3 - CEO Impersonation

This is a two-stage attack.  Stage one is gaining access to the email of a CEO or other C-level executive, usually via spear phishing or some form of keylogging.  Stage two then involves sending an email "from" the exec to other departments with false instructions.  For example, the Austrian company FACC lost over $40 million Euros to a CEO impersonator issuing payment orders to their accounting dept.   

The best defense here is procedure.  Whenever dealing with large payments, requests for high-level passwords, and similar risky requests, ALWAYS have procedures in place for lower-level staff to independently verify the authenticity of the request.  And encourage them to do so!  A company whose boss has a tendency to issue last-minute orders and punishes workers who question him is begging to be defrauded.

That's it for now.  Tune in for part 2 as we continue discussing different types of phishing attempts!phish game

Topics: Network Security, Sophos, Phishing

Recent Posts

Popular Posts