Learn How to Recognize a Well Crafted Phish

Phishing Awareness

Attackers engage with you through your email inbox, and unless you pay close attention, you can become a victim to their masquerade. What tactic are these attackers using? It is called phishing and it targets your trust.

What is Phishing?

Phishing was coined to describe how attackers send uniquely crafted emails to fool you into clicking malicious URLs or downloading software payloads. Often, phish are sent in large groups and have a general salutation meant to appeal to large audiences. Sometimes an attacker puts forth extra effort to appear legitimate and will include specific elements related to the target, which is appropriately called spear phishing.

Millions of phish are pointed at inboxes daily. Most organizations implement technical controls to prevent this type of attack; however, attackers keep pace with these efforts and are continuously employing evasive techniques. The need for you to understand how to deal with them is necessary to protect your patients, organization and coworkers. Organizations often find that employees are not well-versed in the proper method of scrutinizing email messages, putting information security at risk. In fact, CynergisTek has found that 41% of our phish assessment emails are opened and that 73% click on the link in the email.

phishing awareness chart

How Do I Identify These Types of Attacks?

The most important step to prevent phish attacks is identifying them, which is not as difficult as it may seem. By adhering to fundamental email practices, you can appropriately spot phishing emails. The initial item to be aware of is the most basic information an email client provides, which is the sender address. A number of questions should accompany each message, such as:

If you are able to answer these questions with appropriate information, opening a message might be the next step. Opening messages, especially viewing included images, should not be automatic due to the potential that these actions can trigger special attack payloads.  

phishing-awareness-inbox

After an email is opened, you should review it to identify the overall nature of the email before clicking any link. Even if the link comes from someone you recognize it should not be an automatic response to click. Always read the message and verify its authenticity before you click any links. How can you determine the authenticity of a message? If the message looks remotely suspicious, a number of clues provided within the content can help you correctly screen phishing messages.  Ask yourself the following questions to find them:

phishing-example

phish-example-body

link-shortener


What Should I Do If I Receive a Suspicious Message?

If any indicators of phishing are discovered, you should immediately notify the appropriate staff within your organization. Under no circumstances forward a phish, and if ever instructed, include the phish as an attachment only. Delete phish after you receive acknowledgement of your report and are told to do so. If you click a link within a phish, you might still have a chance to avoid a huge mistake. While it is true attackers can run malicious code within links, many times they are after information you submit to them after clicking their link.

Look closely at the landing page whenever you are brought to a website after clicking an email link and perform the following actions:

url


Don’t Be the Victim of a Phishing Attack

If all of these tips are followed, the likelihood that you will fall victim to a phishing attack is significantly decreased and thus reduces the risk for potential account compromise, security incidents and other serious events. Remain vigilant when interacting with your inbox and you’ll protect patients, your organization and yourself from harm. You can test your organization’s phishing knowledge with one of CynergisTek’s customized phishing assessments and improve your organization’s awareness. Our assessment is a great training experience that can improve your organization’s security program. To find out more on how your organization can reduce the risk of a phishing attack, click here or email info@cynergistek.com.

Click here to download the white paper on phishing awareness. Test your phishing knowledge by playing our interactive game “Squish a Phish”.