Phishing: Still a concern

used with permission from HP Technology at Work

Businesses often don’t realize how vulnerable their confidential data is until it’s exposed by a hack. By now, many are aware of external threats to data security and (hopefully) prepare accordingly, but breaches can still occur—despite taking the necessary security precautions. And with phishing, threats don’t need to sneak in the back door; sometimes they walk right through the front.

The ins and outs

Phishing is the act of posing as a familiar, trustworthy entity in electronic communications and using that familiarity and trust to get recipients to release confidential information, such as passwords and bank account numbers.

While it’s difficult to pinpoint the exact origin of phishing, variations of the tactic existed as far back as 1995, when a program allowed attackers to pose as AOL company representatives and steal AOL users’ credit card numbers [1]. A recent HP study found that nearly 70 percent of IT professionals experience weekly phishing attacks [2].

All it takes is one employee clicking on a nefarious email link, and your business is at risk. Just ask data security firm RSA, who fell victim to a major security breach in 2011. An employee opened an email thought to contain a spreadsheet of staff salaries, when in fact the email contained malware that gained access to, and exposed, some of the company’s confidential data [3].

The dos and don’ts

While it’s easy to advise that common sense is the best way to avoid phishing scams, that’s not always the case. Some of these emails are so clearly fraudulent it’s almost comical, but even the most cautious employees can be tricked by the authentic-looking scams. So, what are the things to look for when trying to identify a potential phishing email?

• Unusual sender address: Many times, the address will appear legit at first glance, but if you look closely you’ll often notice some slight discrepancies (for example, “name@h-p.com” instead of “name@hp.com”).
• Unusual URL: Similarly, if something seems off about the website URL they want you to click on, it probably is. Even if the link is disguised as a hyperlink, you can still hover over it before clicking to see the full address.
• Lacks personalization: If an email is telling you that your account has been compromised, or that you need to verify your password (all common phishing tactics), you would expect to see some personal information included (for example: name, account number, address). Since phishing attacks are sent out to millions of people, it’s rare that they actually contain this correct information.
• Misspellings: This is often the quickest way to identify a possible attack. The more misspellings, the more likely the email isn’t what it claims to be.
• Urgent action: “Please click this link/fill out this form immediately.” If it was really that urgent, someone would have called you.
• When in doubt: Don’t download any pictures. Don’t click on any attachments. Don’t click on any links. Don’t reply to the message. Don’t call any number listed on the email.
• The “What now?”: It happens. Maybe you weren’t paying attention. Maybe the email was so convincing you had no reason to doubt its authenticity. So you clicked on the link and… oops. If this happens, there isn’t much time to feel sorry for yourself.

The first thing you should do is change the password for the legitimate site you thought you were visiting. Doing this ensures that the hacker who now has access to your old password won’t be able to access your account. If you’ve shared personal information like a bank account number, contact that institution immediately and let them know. They’ll be able to monitor your account and alert you of any unusual activity. To help prevent this from happening again, many browsers have a “report unsafe website” feature, and Outlook’s “junk” feature can help identify future threats.

Even taking all of these steps is no guarantee that you won’t fall victim to a phishing scam. As threats evolve, so too should your methods of prevention. HP Security Research (HPSR) can help your business stay current on today’s threats by providing a broad, independent, and deeply technical view into the security landscape that is unparalleled in the industry. With strong cyber security, malware, and vulnerability research capabilities, HPSR is a proven and respected partner for organizations worldwide.

If companies as large as Target and Sony can fall victim to data attacks, so might your business. By keeping current on threat trends, and establishing a security protocol for your employees, you’ll already be one step ahead of phishing attacks.

[1] Phishing.org, History of Phishing
[2] HP Security Products blog, TippingPoint network security survey reveals top network security concerns
[3] Computer Weekly, RSA discloses phishing-attack data breach details