Layered Defences Against Phishing
Phishing is a common and dangerous form of online fraud that relies on deception to steal personal information from victims. This can be done through a phishing scam e-mail or a malicious web page that attempts to direct the victim to a fake website that requests confidential information, such as bank account numbers or credit card details.
Examples of phishing attacks include a ‘Nigerian Prince’ email, where a crook tries to trick a victim into sending money to a friend or relative for a small fee upfront. Alternatively, an ‘Angler’ attack can be perpetrated when a victim is contacted directly on social media by an organisation seeking their feedback or complaint, and the scammer hijacks the response to ask for their personal information.
Spear phishing is a more targeted form of phishing, in which a threat actor targets a specific person or organization. This type of phishing attack usually consists of a spoofed or forged email that contains malware or malicious files.
GitHub, Dropbox and a range of other organisations have reported incidents where an attacker posed as an employee to gain access to sensitive data or accounts. During these attacks, the criminals would have used a spear phishing email to access a list of employees in the organisation and then targeted their accounts to collect sensitive data and credentials.
Effective layered defences are key to protecting against phishing attacks. These must be considered as a holistic approach, and rely on a combination of technological, process, and people-based approaches for success.