The fraudulent attempt to obtain sensitive information such as username, password or credit card details by simulating a reputable company in a text or email.
We’ve all seen phishing attacks. We even wrote a blog about Social Engineering: Common techniques with lots of examples. Nobody thinks it will happen to them and hopefully it won’t. But as the cyber criminals are getting smarter, so are their phishing techniques. And chances are, we will all click on a dodgy link at some point.
Duo Security, a
Trilogy partner, found that over 2 years of phishing simulation campaigns, 60% were
successful in capturing at least one person’s credentials. You can try their phishing
simulation yourselves. Duo
Insight will enable you to find vulnerable users and devices in minutes.
How do you avoid being phished?
A healthy level of paranoia is good. I
came across a clever one recently where a contact sent me an email with a link
to the “OneDrive file for the project we were talking about.” I hadn’t been
talking to him about a project but the whole thing looked very real. What made
this even more interesting is that the attackers had hacked into his email system.
When I forwarded (not replied) to the message to let him know that I thought
the email may have been meant for somebody else, the hackers politely responded
and kindly told me that no, it wasn’t spam and the email was meant for me.
Thereupon I phoned my contact to let him know what was going on.
Remember, if it looks too good to be
true, it probably is.
Use a password manager, and, of course,
don’t reuse passwords. As soon as one becomes comprised, attackers try use it
in other places. The LinkedIn breach of 2014 enabled cyber criminals to buy
Play Stations on my friend’s Amazon account. Fortunately, that ended well for
my friend because she caught it on time.
Ensure your system software and web
browsers are up-to-date. Some browsers now, including Chrome, detect comprised
passwords upon login. Change it immediately if this happens to you.
In summary, don’t give out
personal information unless absolutely necessary. If you’re unsure about a
website or email, just pick up the phone and ask if this is in fact a valid
Implement 2FA wherever you
can. But you do need to bear in mind that there are tools which enable
attackers to bypass certain forms of 2FA. Modlishka is the latest.
Trilogy partners with Duo Security because they have the strongest forms of 2FA, including mobile push-based 2FA and U2F security keys. This complements and enforces additional device requirements which can ensure only corporate-owned and managed devices access your organisation’s data and applications.