Don't take the bait: Recognize and avoid phishing attacks - ITSAP.00.101

• Spear phishing: A personalized attack that targets you specifically. The message may include personal details about you, such as your interests, recent online activities, or purchases.
• Whaling: A personalized attack that targets a big “phish” (e.g. CEO, executive). A scammer chooses these targets because of their level of authority and possible access to more sensitive information.
• SMiShing: A phishing attack using SMS (texts). A scammer may impersonate someone you know or pose as a service you use (e.g. Internet or mobile provider) to request or offer an update or payment.
• Quishing: A phishing attack using “quick response” (QR) codes which a scammer usually sends via email. The victim scans the QR code that re-directs them to a malicious website. Quishing can bypass your email security protection that scan for malicious links and attachments.
• Vishing: Vishing is short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information. A scammer can use a voice over internet protocol (VoIP) system which allows caller ID to be spoofed to trick you into believing they are legitimate.

Protect your information and infrastructure:

• Verify links before you click them. Hover over the link to see if the info (sender/website address) matches what you expect
• Avoid sending sensitive information over email or texts
• Back up information so that you have another copy
• Apply software updates and patches
• Filter spam emails (unsolicited junk emails sent in bulk)
• Block IP addresses, domain names, and file types that you know to be bad
• Call the sender to verify legitimacy (e.g. if you receive a call from your bank, hang up and call them)
• Use anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
• Reduce the amount of personal information you post online (e.g. phone numbers and extensions for employees)
• Establish protocols and procedures for your employees to internally verify suspicious communications. This should include an easy way for staff to report phishing attacks
• Update your organization’s incident response plan to include how to react if you’re hit with a phishing attack
• Use multi-factor authentication on all systems, especially on shared corporate media accounts

Training and awareness can make a difference:

Your organization’s users should know the importance of keeping their personal information and the organization’s information protected. Users who are not educated on the warning signs of social engineering attacks might reveal information or infect the network’s devices unknowingly. Having an informed workforce, with training on how to handle personal information (Privacy Awareness Training) and Cybersecurity Training, can reduce the risks of phishing attacks being successful. Also, implementing internal phishing simulations to enhance your employees understanding, allowing them to detect and avoid phishing attacks in a safe environment.

Something may be phishy if:

• you don’t recognize the sender’s name, email address, or phone number (e.g. very common for spear phishing)
• you notice a lot of spelling and grammar errors
• the sender requests your personal or confidential information, or asks you to log in via a provided link
• the sender makes an urgent request with a deadline
• the offer sounds too good to be true
• the caller’s voice has a robotic tone or unnatural rhythm to their speech
• the call is of poor audio quality