What is a phishing attack?

Phishing is an attack where a scammer calls you, texts or emails you, or uses social media to trick you into clicking on a malicious link, downloading malware , or sharing sensitive information. Phishing  attempts are often generic mass messages, but the message appears to be legitimate and from a trusted source (e.g. from a bank, courier company).

Protect your information and infrastructure:

• Verify links before you click them. Hover over the link to see if the information (sender/website address) matches what you expect
• Avoid sending sensitive information over email or texts
• Back up information so that you have another copy
• Apply software updates and patches
• Filter spam emails (unsolicited junk emails sent in bulk)
• Block IP addresses, domain names, and file types that you know to be bad
• Call the sender to verify legitimacy (e.g. if you receive a call from your bank, hang up and call them)
• Use anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
• Reduce the amount of personal information you post online (e.g. phone numbers and extensions for employees)
• Establish protocols and procedures for your employees to internally verify suspicious communications. This should include an easy way for staff to report phishing attacks
• Update your organization’s incident response plan to include how to react if you’re hit with a phishing attack
• Use multi-factor authentication on all systems, especially on shared corporate media accounts

 

Training and awareness can make a difference:

Your organization’s users should know the importance of keeping their personal information and the organization’s information protected. Users who are not educated on the warning signs of social engineering  attacks might reveal information or infect the network’s devices unknowingly. Having an informed workforce, with training on how to handle personal information (Privacy Awareness Training) and Cybersecurity training can reduce the risks of phishing attacks being successful. Also, implement internal phishing simulations to enhance your employees understanding, allowing them to detect and avoid phishing attacks in a safe environment.

 

Something may be phishy if:

• you don’t recognize the sender’s name, email address, or phone number (e.g. very common for spear phishing)
• you notice a lot of spelling and grammar errors
• the sender requests your personal or confidential information, or asks you to log in via a provided link
• the sender makes an urgent request with a deadline
• the offer sounds too good to be true
• the caller’s voice has a robotic tone or unnatural rhythm to their speech
• the call is of poor audio quality

 

Watch out for unsolicited communications with:

• attachments
• hidden links
• spoofed websites
• malicious QR codes
• log-in pages
• urgent requests
• prompts for personal information
• caller claims to be government official or bank representative

 

Anti-Phishing Resources

Phishing Activity Trends Reports – The APWG Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies.

Phishing 101 – Phishing Attacks use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information.

Avoiding Social Engineering and Phishing Attacks – Do not give sensitive information to others unless you are sure that they are indeed who they claim to be and that they should have access to the information.

FTC Phishing – How to spot common Phishing attacks, including an interactive quiz here and pdf poster below.

Security Awareness: Episode 4 – Phishing and Ransomware – What is phishing, how to spot it and how to protect you and your employees from it.

Reference: https://www.cyber.gc.ca/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks