Debasish Mukherjee; Vice President, Regional Sales APAC at SonicWall Inc.
Phishing is one of the oldest cybersecurity scams and often one of the first step in a complex, multi-stage attack. For instance, 67% of IT teams in India associate phishing with emails that falsely claim to be from a legitimate organization, and which are usually combined with a threat or request for information. According to a report on global security, India generates the maximum number of spam and phishing mails across Asia Region.
What’s the approach?
Phishing attacks often begin with email, text messages, even phone calls. The message will be simple, often in the form of an announcement, like a problem with a payment, a security breach, or suspension of benefits or services. If the target is a company or organization, the scammer may seem unassuming, even respectable. For example, some scammers will claim to be a new employee, IT technician, or researcher. They may even produce some credentials or other information to support their claim.
If the attack is broader, the message may appear to originate from a well-known brand, a trusted company or a non-profit organization. For example, common phishing scams have themes like a credit card company or other financial institution, a charity or a political organization.
Simple phishing scams take a spray and pray approach, hitting thousands of potential victims all at the same time with identical spoof messages. Some of these campaigns also spoof websites where the primary trap is laid. These campaigns have gotten upgrades in appearance. Although they are easiest to detect among phishing campaigns, we fall to them when we’re rushing around and don’t pay close enough attention.
Some scammers go a step further by picking a target then attacking with a sophisticated social engineering script. The goal is to gain trust and approval from a chain of victims. For instance, the scammer may start with a spoofed email address of known colleagues or executives. If the scammer can’t get enough information from one source, they’ll move on to another within the same organization. Finally, they increase credibility by adding information gleaned from the previous victim as they probe for more data. Within 20-30 minutes, the scammer may have enough information to piece together what they need to infiltrate highly sensitive networks and computers.
Avoid being a victim. Here’s how:
The first and probably the most important rule is for us to be constantly vigilant. Raise your awareness when you get an unsolicited phone call or receive unexpected messages. Watch for unusual requests about employees or other internal information. Withhold all information and rely on better judgment before divulging ANY info.
Remember that the phish is all about squeezing information from you: refuse to give it to them. Instead, make a personal commitment to your cybersecurity. For instance:
- Do not click links on email or text – even from trusted individuals.
- Do not download ANYTHING that comes from an email or text message you did not expect; and
- Do authenticate URLs, sender’s identity, and company identity. Often, a simple phone call from your own device will do the trick.