Phishing: Protect Yourself from a Social Engineering Attack

Phishing is one of the most common and well-known social engineering techniques. It's the process of sending emails (or texts, which is known as smishing) appearing to be from reputable sources in an attempt to get someone to reveal personal information.

These can take the form of emails seeming to come from coworkers, or impersonating reputable brands such as Google and Microsoft or government institutions such as the IRS. The idea is that you will see something familiar and won't look too closely.

Source: Phishing Examples | Phishing.org

What is phishing and how does it work

Phishing is a type of social engineering attack that seeks to collect personal information such as login credentials or credit card numbers by pretending to be a trustworthy entity. The attacker will typically send an email or message that appears to come from a reputable source, such as a financial institution or popular online service.

The message will often include a link that leads to a fake website that looks identical to the real thing. The user is then prompted to enter sensitive information, which is then collected by the attacker.

Phishing attacks can be difficult to detect, but there are several warning signs to look out for, such as suspicious links or email addresses, grammatical errors, and unexpected requests for personal information.

Source: The Most Common Examples Of A Phishing Email | uSecure

If you suspect that you may be the target of a phishing attack, do not respond to the message and immediately report it to your IT department or security team.

The most common types of phishing attacks

There are a few different types of phishing attacks, but the most common ones include:

• Spear phishing: This type of attack is targeted at a specific individual or organization. The attacker will often do research to collect personal information about the target before sending the email.
• Whaling: This type of attack targets high-profile individuals within an organization, such as executives or CEOs. The attacker will typically send a spear phishing email that appears to be from a trusted source, such as a government agency or well-known company.
• Clone phishing: This type of attack involves cloning an existing email that was previously sent by the target. The attacker will then replace any links in the email with their own malicious version.
• Phishing kits: This type of attack uses pre-made templates and scripts that can be easily customized. The attacker will often host the kit on a server and send out mass emails in an attempt to infect as many people as possible.

How to protect yourself from phishing attacks

There are several steps you can take to protect yourself from phishing attacks, including:

• Be aware of the signs of a phishing email. Suspicious links, grammatical errors, and unexpected requests for personal information are all red flags.
• Do not click on links or open attachments from unknown sources. If you're unsure about the sender, confirm their identity by independently contacting them.
• Keep your software and antivirus up to date. Outdated software can have security vulnerabilities that can be exploited by attackers.
• Be cautious of public Wi-Fi. Hackers can set up fake Wi-Fi networks in public places in order to collect login credentials and other sensitive information.
• Report any suspicious emails or messages to your IT department or security team. They will be able to determine if it's a real phishing attack and take appropriate action.

What to do if you fall for a phishing attack

If you think you may have responded to a phishing email or clicked on a malicious link, there are a few steps you should take:

• The very first thing you should do... TAKE ACTION! Do not be embarrassed or afraid to tell your IT department, they can't take action to help you if they are unaware of the issue. 
• Change your passwords immediately. If you used the same password for other accounts, be sure to change those as well.
• Run a virus scan on your computer. This will help identify any malware that may have been installed without your knowledge.
• Enable two-factor authentication (if available). This adds an extra layer of security to your account and makes it more difficult for attackers to gain access.
• Keep an eye on your credit report and financial statements. Watch for any unusual activity that could indicate fraud or identity theft.

How to report a phishing attack

If you receive a phishing email or text, do not respond to it! You should report it to your IT department or security team immediately.

You can also report phishing emails to the FTC at ftc.gov/complaint. And if you get a text message that looks like phishing, forward it to SPAM (7726).

When in doubt, throw it out! If you're unsure about an email or text, don't take any chances. Delete it and move on. After all, it's just a message.

By being aware of the signs of phishing and taking steps to protect yourself, you can help keep your personal information safe from criminals.

Resources on further reading and training

• Free On-Demand cybersecurity training for nonprofits
• Multi-Factor Authentication: Why it's critical
• How to make sure security is an ingrained part of your culture
• Types of Social Engineering Attacks

Wrap Up

Phishing is a well-known social engineering technique that uses emails (or texts) to try and get someone to reveal personal information. The goal of a phishing attack can be anything from getting you to open a malicious attachment, stealing your login credentials, to just plain stealing.

Source: Phishing Examples | Phishing.org

There are several steps you can take to protect yourself from phishing attacks, including keeping your software and antivirus up-to-date, being aware of the signs of a phishing email, and reporting any suspicious messages immediately.

If you think you may have responded to a phishing email or clicked on a malicious link, there are some things you should do immediately, such as changing your passwords and running a virus scan. It's important to remember that taking action is the best way to protect yourself from these types of attacks.

While phishing attacks are the most well-known type of social engineering attack, it's important to be aware of the other types of attacks that exist. By being informed and taking steps to protect yourself, you can help keep your personal information safe from criminals.

If you are interested in cybersecurity awareness training for your nonprofit organization, or would like to speak to our cybersecurity experts about your security, contact us here.