Phishing is not just a sport.
The other day I was traveling behind a car that had a bumper sticker that read “Fishing is not just a sport, It’s a way of life” and it got me thinking.
We all know that in the sport of fishing a person hangs bait on a line and waits for something to bite and when the fish bites you reel it in and get the prize. This is also true with Phishing.
Wikipedia defines Phishing as “An attempt to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.”
In simple terms phishers place bait in emails, instant messages in fact almost any form of electronic communication and waits for the unsuspecting victim to take the bait. At the end the Phisher gets the prize but it’s not just a fish this time. The aim is to trick the victim into divulging personal and financial information, such as passwords, account IDs or credit card details.
Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a link in a seemingly legitimate email than trying to Hack into a computer. Although some phishing emails are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers to identify the most effective types of messages, the phishing "hooks" that get the highest "open" or click through rate and the Facebook posts that generate the most likes.
Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.
A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.
The phisher replaces the links in the email to redirect it to a fake website designed to look identical in every way to the original site, in fact most of the time you can’t tell the difference and it even logs you into your account on the site original site. In the meantime, the attacker now has your username and password for that site.
Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phisher men have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena
So how do we combat Phishing.
I asked Cary Hendricks the Global Operations Director and white hat hacker, how we can avoid becoming a victim of a phishing attack.
Now there are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. These techniques include steps that can be taken by individuals, as well as by organizations.
One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. We run courses like the EC-Councils CSCU (Certified Secure Computer User)
In a June 2004 United States Military Academy at West Point, NY. experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake email from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information. (The page informed them that they had been lured.)
ID Cyber can run tests like this for your company and give you reports on who clicked on the link. (you will be surprised who gets court)
ID Cyber also offer a range of courses that cover every part of your business.
For Owners Directors
Master classes are ½ day non-technical courses designed to give Directors and Owners and awareness of the of the Cyber security risk. It shows demos on how attacks are preformed and gives the attendee tools and knowledge to help manage the risk. This course and be presented over dinner or can be set up as a more formal course.
For IT Executives and IS Managers
CCISO (Certified Chief Information Security Officer.)
CCISO is a 5 Day course as the name says for Chief Information Security Officers. The CISO is an executive title in the industry, just like CIO or CEO.
The Course certifies information security manager and executives in 5 crucial domains of information Security. Governance, IS Management Controls & Auditing Management, Information Security Leadership – Projects & Operations, IS Core Competencies and Strategic Planning & Finance.
This is NOT a technical course. There are no labs, no hacking demos, etc. The program is concerned with policy setting, project
management, laws and regulations, HR management, executive strategy, contract management, and finance. These topics are things that many CISOs and other IS (information security) executives have to learn on the job.
For Security Officers auditors and Security Professional
CEH (Certified Ethical Hacker)
The 5 Day CEH course is the world’s most advanced ethical hacking course encompassing 18 state-of-the-art modules containing everything you need to know to improve the security posture of your organisation. CEH v9 covers over 270 different attack technologies, examining many different approaches taken by attackers and allowing you to truly embrace the hacker mind-set.
For the end users
CSCO (Certified Secure Computer User)
CSCO is a 2 day course that enables computer users to build on their existing skills by educating them on practical aspects of security and networking. Your employees will acquire a fundamental understanding of various computer and network security threats such as identity theft, credit card fraud, online banking phishing scams, malwares, loss of confidential information, and social engineering. This course is an interactive environment where your employees acquire fundamental understanding of various computer and network security threats. These skills will help employees to take the necessary steps to mitigate their personal and corporate security exposure. On successful completion of the exam the candidate will receive a certification from the EC-Council
For any more Information on any of these courses you can visit the ID Cyber Solutions Website http://training.idcybersolutions.com/