Avoiding Phishing Through Email and Other Communications
Phishing is a form of social engineering attack that targets the end-user by impersonating trusted entities. It tricks the recipient into handing over sensitive data, typically a password or login to an account, by masquerading as a legitimate message from a bank or an organizational contact. These attacks often include an attachment that, when opened, downloads malware to the victim’s machine.
Attackers can use public resources to gather information about the target, including work experience and interests. This allows them to create a trustworthy fake message. They can also spoof a known brand to trick the victim into clicking on a link or downloading an attachment. This can expose personal and business data that attackers can exploit:
Spear phishing is more targeted and usually requires more in-depth knowledge about the organization. For example, attackers might research the department structure of an organization to gain access to internal documents or accounts. Then, they will send a fake email that appears to be from an employee of the company, asking for specific information such as wire transfers, restricted data, or macro enabled files.
Keeping a keen eye on email and other communications is an important first step to avoiding falling victim to these types of attacks. When in doubt, users should contact the alleged source directly to verify the validity of a request. Also, spelling and grammatical errors are often a dead giveaway that an email may be fake. Emails from professional sources should not have such errors, as most companies will use a copywriter and spell checker to review their messages.