Information Security - Understanding the Basics: "Phishing"

Castellan Information Security Services is posting a few short articles aimed at informing our clients and followers covering some of the 'basic' information security topics and trends. We understand that while some clients require advanced technical and corporate security measures and strategies to meet their needs, some require starting at the beginning to understand the topic better and start their own journey to securing their information.

The next topic we will discuss in this regard is Phishing. Phishing is a type of social engineering attack that attempts to steal your information by getting you or staff members to reveal confidential corporate information -- such as passwords, bank information, or Intellectual Property data -- through websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, service providers, partners, or acquaintances in a professional developed fake message, which contains a link to a dangerous phishing website.

The Different Types of Phishing Attacks

1. Spear phishing and Whaling

Spear phishing

Spear phishing targets a specific group of individuals or companies. Instead of a randomized victim pool, the culprit will purposefully identify and target their specific victims - oftentimes employees within the same company - and will tailor their email with specific details intended to add credibility and lower suspicion.

Whaling

This type of attack is similar to spear phishing, but instead of concentrating on working level employees, whaling attacks target the "big fish" like CEOs, COOs, or other executives in order to steal valuable corporate level information.

2. Vishing and Smishing

Email Phishing

Email phishing is the most common type of phishing. Hackers send professionally developed and legitimate-looking emails to random or targeted email addresses. One version of these attacks involves the email informing potential victims that there has been a compromise to their account and that they need to respond immediately by clicking on a provided link.

Smishing

It is a SMS phishing. As such, it is a type of phishing attack where perpetrators unsuspecting victims on text messaging platforms, including SMS or apps like Viber or WhatsApp.

Vishing

These attackers seek access to your sensitive personal or corporate information through a voice call pretending to be the person's bank or credit card company, intended to manipulate the victim into handing over confidential information or sensitive data, such as corporate passwords or financial information.

How to Defend Against a Phishing Attack - "Focus on Knowledge, Training and Awareness"

1. The best way that you can truly protect your organization from a phishing attack is through providing your staff, managers and contractors with information security training and awareness. This training does not have to be extensive but should be mandatory for all personnel and should be delivered on a somewhat regular basis to keep up with new threats and trends.
2. In addition to training, management can communicate on a regular basis with your staff about the issue of information security to ensure it stays top of mind. These communications can include reinforcing the organizational commitment to security, reminders regarding specific measures each employee can take, new trends or developments in cyber security threats and even media information pertaining to successful phishing attacks against other companies.
3. Implementing internal policies outlining sound information security operating procedures. This includes instructions to not open attachments or links from unsolicited emails, even if the emails came from a recognized source, and a process to quickly report attempted phishing attacks to the proper party.
4. Finally, technical measures can also be implemented or strengthened to help combat phishing attacks. These can include Anti-Spam software and a Spam Filter (the minimal defense an organization can take), Web Traffic Inspection tools to protect against internet-based threats, and a Secure Email Gateway which is and an advanced / new generation anti-spam tool to detect threats.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information please feel free to contact us directly at info@castellaninformationsecurity.com.

Ask us about our free preliminary security assessment and our Security Operations Centre (SOC) service that uses special detection technology and cyber experts to monitor your data on a live, 7/24 basis.

View More