Phishing is the #1 social engineering threat to association cybersecurity, and it has so little to do with the association’s technology. No, the reason that phishing is responsible for so many data breaches is good old-fashioned human error.
That’s right—we’re talking about people unknowingly giving their passwords and credit card numbers to hackers, filling out personal information on websites created by hackers, and accidentally installing malware onto their machines. Yikes.
Technology like firewalls and spam filters work as hard as they can to limit phishing attacks, but it turns out that human social engineering and manipulation are still highly effective tools for cyber attackers.
So what can an association do to beef up its cybersecurity in regard to phishing? The short answer is to raise awareness with members and employees, but of course there’s a bit more to it, which we’ll cover in this post.
If you’d rather talk with an expert at Aptify regarding cybersecurity right now, please don’t hesitate to contact us.
But for now, let’s do a deep dive on the dark art of phishing.
What is phishing?
Phishing is THE most common method of initiating a cyberattack—91% of of cyber attacks start with a phishing email! Basically, “phishing” is when a hacker sends an email to somebody with an intent to gain personal information, install malware, or engage in other illegal behavior. It’s one of the oldest cyber attacks, dating back to the 1990s.
The difference between phishing and other forms of cyber attacks, such as Denial-of-Service (DoS) Attacks, is the human element—phishing relies on social engineering to have the user help the hacker get what he wants. The fraudulent email is written in such a way that induces the victim to act. Common acts include:
- Clicking a malicious link
- Installing malicious software
- Giving away personal or association info (passwords, credit card numbers, etc.)
For example, hackers will pose as banks (or even the IRS!) and make false claims via email about money the user can collect. In order to receive whatever fake award is offered, the user is required to submit financial information. Unfortunately, there is no money to collect, and the user just gave away their bank account details.
But it’s not just personal info the hackers are after—many times, they will include a malicious link disguised as something benign. When the user clicks the link, the user is taken to a malicious website, or asked to install malware onto the computer, granting various levels of access to the hacker.
One particularly nasty type of malware is called “ransomware.” Once ransomware is installed, the hacker will steal data and hold it hostage until money has been paid for its return, or lock down the entire system so it can’t be used by anyone. Of course, even if they pay, there’s no guarantee the user will ever see the data or have access to the system again! As you can see, this is why it’s crucial for associations to start talking about phishing and raise awareness among their employees.
Phishing usually involves more than just a poorly worded email.
The stereotypical email people think of when thinking about phishing is something like this:
Dear sirr or madame,
youve just won $2million USD in the national lottery. Send banking details to collect you’re prize.
Yes, those still happen, but the level of sophistication of phishing attacks has risen dramatically in recent years.
Hackers will re-create popular websites to look just like the official website and induce people to provide their passwords. Everything about the site may look legitimate, except that the domain (web address) is one or two letters off, or registered using cyrillic characters. (Making it look almost exactly the same as the legitimate site.) These websites will be linked in the email. This Gmail phishing attempt cleverly included a linked image that looked just like an attachment—watch out!
Additionally, hackers will send emails with malware attachments that seem innocuous, or worse, seem like they’re important and need to be addressed. These files, once opened, spread their malicious payloads about your system.
Combating phishing using technology and common sense
At this point, you’re probably realizing that nobody likes phishing—in fact, yes, we hate it. There, I said it.
There are many technology solutions that exist to limit the threat of phishing like firewall appliances and email filters, which keep malicious emails from ever entering your inbox. Browsers even display “Not secure” messages in message previews, but not everybody sees or cares about these warnings.
If you’d like to take a more active role in the fight against phishing, and assist vendors in providing more accurate warnings, check out phishtank.com and spamhaus.org/dbl/. These websites use the power of community to find and identify phishing scams by posting malicious and suspected domains and emails.
Also—Pay attention to prompts!
When a file is downloaded directly from the Internet, new versions of Microsoft Windows and Apple MacOS will display prompts reminding you of this. Use that prompt to remind yourself to do one last check on the source of the file.
Keeping your antivirus software up to date and practicing awareness is probably the best way to combat phishing—pay attention to the email you receive, the attachments you open, and the links you click. According to a survey from Dimensional Research, 87% of IT professionals are more concerned with threats from the inside than hackers!
Indications of an email phishing attempt
If you receive an email message and see any of the below, proceed with extreme caution!
- The unsolicited email originates from an unrecognized sender
- The message appears to come from your bank, PayPal, or other financial institution, but is address to “User”, “Customer”, “Sir or Madam”, etc.
- Links contained in the email point to different URLs than they indicate in text. (Check this by mousing over the link but NOT clicking)
- The message makes use of broken syntax or is poorly worded
- The offer is too good to be true. (“You’ve just won 1 million dollars! Just provide us your bank account details.”)
- The email requests personally identifiable information such as your full name, credit card numbers, social security number, username, or password
- The message contains a zip, macro-enabled Office document or executable attachment
While this isn’t an exhaustive list, it’s a great start to some of the more common phishing scams I’ve seen.
Stamp out phishing threats to your network
In terms of preparing your association against the threat of phishing, here are a few must-haves:
1. Make sure your email service provider has a spam/malware filtration feature
Probably a no-brainer at this point, but it must be said. If the majority of phishing attacks are filtered from the inbox without users having the chance to see it or open it, the chances of falling victim diminish.
2. Train your members on how to identify phishing email attacks
A proactive nudge to your employees (or membership) about the major damage that phishing might cause can go a long way. And not just a “one-and-done” notice—make a point to call out major phishing attacks and preach awareness.
3. Never provide personal identifiable information in email
This is the same message for whether it’s your personal data, your association’s intellectual property, or your members’ credit card information. Legitimate companies do not ask for personal information over email because of the insecure nature of the system. Email messages that do so are a huge red flag.
Phishing is not a new threat, it has been happening for over 20 years now. But the level of sophistication in the attacks is forever increasing, and the damage continues to be wrought upon the public.
Talking about this threat and providing tools for proactively addressing phishing is the number one thing you can do to reduce your association’s exposure. Awareness is huge, as most of these breaches occur because the email recipient did not recognize or know how to recognize the phishing attempt, resulting in their taking inappropriate action.
It is long past time for associations to make the necessary training investment to prevent this type of attack from threatening their member data and jeopardizing the success of their mission.
