According to phishing.org, Phishing is a cyber-crime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. (Read more on Phishing here).
Given the threats posed by phishing attacks, individuals and organisations must stay vigilant and protect themselves from phishing. Some of the ways to stay protected from phishing include:
As an Individual:
1. Never click on links, download attachments from strange emails. If working in a corporate environment, report all strange emails to the IT Security team
2. On every email, cross-check sender address before releasing sensitive information. This is because some individuals could create fake emails (lookalikes of legitimate emails). For example, an attacker could create John.Doe@b1d.com to mimic John.Doe@bid.com
3. When you receive urgent instructions from management over email (especially transactional instructions), always call the sender to confirm the instructions. Also, organisational procedures must be always followed in executing transactional instructions, as phishers always exploit urgency to perpetrate their attacks.
4. Your bank would never ask for your personal information over voice calls. Don’t bother telling.
5. Beware of cyber-squatting. Several (phishing) websites exist with names similar to otherwise genuine websites. The hackers' game is to trick visitors into thinking the fake websites are real so that these visitors would give up sensitive information to the hackers (or fulfill other motives of the cyber-attack)
As an organisation:
1. Draw up a comprehensive cyber-security awareness programme which covers relevant cyber awareness topics
2. Consistently train employees (based on the cyber awareness programme) to ensure that they stay abreast on the threat landscape
3. Invest in trusted anti-phishing solutions
4. Ensure that the organisation's Incident Management Process includes steps to handle phishing incidents before they escalate
5. Implement proper network segmentation to prevent lateral movement after a successful phishing attack
6. Perform periodic phishing campaigns/simulations to test the efficiency of your organisation's cybersecurity controls and employees' readiness for phishing attacks (Cymulate and IronScales are two of several solutions that can perform phishing simulations)
Stay Secure!