Tips against targeted phishing attacks

Once again, the short definition of phishing: cybercriminals trick the victim into revealing something electronically (which really doesn't belong in someone else's hands). Even if, after intensive education, many users recognize obvious phishing attacks, this type of cybercrime still remains an annoying scourge. This is because phishing attacks have also evolved. Nowadays, targeted phishing, so-called spear phishing, is considered the criminal standard. Attackers put a lot of effort into each individual e-mail to make it look as genuine and credible as possible.

Sophos has highlighted effective tips for users and IT on how to deal with phishing emails.

Recommendations for action for each user

1. Do not be influenced: Even a stranger can effortlessly present himself as an "insider". A friend of a friend, a former colleague, etc. With a combination of collected information (from previous data theft, social media profiles and old emails, be it as recipient or sender), even a criminal without much financial backing and technical savvy manages to sound more credible than any "Dear Customer" email.

2. "Urgent" should make you suspicious: A large percentage of email scams work because criminals gain the victim's trust or they present themselves as an authority (e.g., superiors). The "urgent task to be done" is often combined with flattery. "Confidential" and "intended only for the addressee" further isolate the victim. Such confidentiality should be classified as suspicious.

3. Do not trust the details of the email transmitter: One might be under the mistaken impression that the scammers go out of their way not to encourage the victim to scrutinize them. But sometimes the opposite is true, in that they actively press for a callback or response - as part of the scam. But this gives them exactly the opportunity to convince the victim with their lies and falls into their trap.

4. Never follow the instructions in an email: A common ploy of phishing scammers lies in hiding malicious content. Macros, data-hijacking software, is one such example. The seemingly harmless email is prefaced with instructions on how to view it "correctly" by changing various settings. Usually, these instructions are quite plausible, but the scammers so skillfully lure the addressee that the very features that are supposed to protect him are undermined.

5. Get a second opinion: The four-eyes principle is not only useful for spelling and grammar, but also for evaluating ominous phishing emails. That's why scammers rely on the confidentiality effect to bypass this control.

Recommendations for action for IT

In addition to these first aid tips for every user, Sophos has also summarized three bonus tips for IT departments:

1. Establish a central point of contact for cyber security cases.

Many spear phishing attacks are successful because employees are desperate to do the right thing - very much in the spirit of helpful customer service. Initiating a fixed report location (e.g., an internal email address like security-report@example.org) gives employees an easy way to ask for security advice. And do it BEFORE, rather than after a suspicious email!

2. Cybersecurity should not be a one-way street.

Even the best-protected websites can be attacked, and if something conspicuous catches the eye of an employee, it should be taken seriously and not referred to IT sovereignty. It is better to take precautions than to take action.

3. Phishing simulations as a training camp

Training with phishing emails can support employees in the company. There are now explicit training tools that use phishing mock-ups without harmful consequences for practice. The important thing is to think of them as tools for improvement, not control. This is because fraudsters never tire of making new users victims of ever more sophisticated phishing attacks every day.

Source: Sophos / TC Communications