Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it's getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.
There are various phishing techniques used by attackers:
Embedding a link in an email that redirects your employee to an un-secure website that requests sensitive information
Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
Spoofing the sender address in an email to appear as a reputable source and request sensitive information
Attempting to obtain company information over the phone by impersonating a known company vendor or IT department
Here are a few steps a company can take to protect itself against phishing:
Educate your employees and conduct training sessions with mock phishing scenarios.
Deploy a SPAM filter that detects viruses, blank senders, etc.
Keep all systems current with the latest security patches and updates.
Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
Develop a security policy that includes but isn't limited to password expiration and complexity.
Deploy a web filter to block malicious websites.
Encrypt all sensitive company information.
Convert HTML email into text only email messages or disable HTML email messages.
Require encryption for employees that are telecommuting.
What is Spoofing ?
A simple definition of spoofing is that it’s when an attacker attempts to disguise their attack as something else—imitating or “spoofing” a piece of information to trick the target. Spoofing can be applied to all kinds of information and data. Examples of data that an attacker might spoof include:
Hypertext links (especially shortened URLs)
IP addresses (on data packets to trick rudimentary firewall inspection)
Domain Name System (DNS) identifiers
Basically, anything and everything that is used to authenticate the identity of a person or device could be spoofed by an attacker in an effort to trick their targets.
How Spoofing Works ?
The level of sophistication involved in a spoofing attack varies depending on what’s being spoofed and the nature of the attack.
For example, a spoofing attempt can be as simple as creating a fake email address that’s just one letter or piece of punctuation off from someone else’s email to trick the recipient into thinking it’s from someone they know. On the other hand, it can involve complicated tools and tricks to rewrite information so that a computer firewall might recognize a data packet filled with malware as a safe file download.
In the case of the email example, the spoofing activity is part of a phishing attack—a type of social attack designed to trick people into taking an action based on what they believe to be a legitimate communication.
Spoofing can be broken down into many different forms. Here are some more detailed examples of spoofing and how you can be targeted:
Email Spoofing. The goal for attackers when spoofing an email is to curate a scenario within the contents of the email to increase its likelihood of interaction. The spoofing aims to build trust so that the recipient believes it is coming from a known source or legitimate source. Users will be more prone to click on or download malicious email/file attachments. These emails typically request the recipient to enter personal information as in forms of ID, login credentials, physical address, or a credit card number. Additionally, users who interact with spoofed emails are more likely to grant the attacker a network foothold via droppers and persistent mechanisms living in memory.
Caller ID Spoofing. Many robot dialers and phone-based scams now use tools to disguise their phone numbers on caller ID systems. Using this equipment, scammers can make their out-of-state phone number look like it comes from a local area code, or from an organization that their target knows and trusts. This form of spoofing helps scammers get around caller ID-based blocking.
Website Spoofing. Some attackers build fake web pages or even entire fake websites that copy the look of a legitimate site. These fake sites are often full of download links for malware designed to compromise the unsuspecting victim’s computer/smartphone. Otherwise, these sites may try to trick people into surrendering sensitive information, such as credit card numbers, social security numbers, or user account information.
IP Spoofing/IP Address Spoofing. This is when an attacker disguises their IP address to mask their identity from firewalls. This helps to hide the origin point of an attack while allowing it to slip past IP-based firewall filters.
DNS Spoofing. Spoofing the domain name system allows attackers to redirect URLs and email addresses to different IP addresses. This can be used as part of a social attack carried out via email or other channels to redirect unsuspecting targets to a spoofed website.
What is Spam ?
Spam is another word for junk mail – those emails that you didn’t ask to get, and don’t want to get. You’ll have seen them when you log on – adverts for dubious medical products, dating sites, lotteries and the like.
The term is officially recognized in the Oxford Dictionary, who capture the ‘irrelevant’ and ‘unsolicited’ elements of spam, which often go to large groups of recipients. Spam also comprises a range of categories such as phishing, advertising, malware spreading and so forth.
Phishing spam emails attempt to get personal information from users by pretending to be from legitimate and trusted sources such as banks. This information is then used for fraudulent purposes. Malware is software designed to damage your device – releasing viruses that corrupt it or steal private data. While spam emails are harmless but annoying, phishing emails are dangerous.
How Span can be Avoided ?
Firstly, check if it is actually spam. You may have signed up to a newsletter or website via a deal or competition, and not realized that you were agreeing to further contact as a result.
In this case, hit the unsubscribe link within the email and you should be removed from the mailing list. If you receive an email that looks entirely like junk, select the ‘junk’ button in your email provider and opt to have it deleted and reported as spam.
Then, follow these good practice tips going forwards:
Think twice before signing up to websites and read the terms and conditions on all web forms. Select or deselect marketing contact boxes as appropriate.
Use the unsubscribe link at the bottom of marketing emails to be removed from distribution lists.
Just delete your account from websites or services that you don’t use, or that you can’t remember signing up to in the first place. This site has plenty of information on how you can close down a range of accounts.
Never be tempted to reply to spam. This will confirm your email address to a spammer who has guessed at it. Instead, block the sender in your email account.
Never click any links in a suspicious looking email or you could find yourself being phished. Remember, financial institutions will never send you an email with a link to click. If you are unsure of the legitimacy of an email, go directly to the account or website to log-in – don’t click into the body of the email.
Have an email address that you use simply for signing up for services and websites.
Install security software and regularly update your passwords, making sure they are secure. Google provides information on how to make passwords as strong as possible.
See if your email provider provides any security software. Most commercial email systems will.
Hit the ‘spam’ button on any rogue email that you receive to divert it into the spam folder in your email account. You can keep an eye on it to check that nothing legitimate goes through. You can also use the ‘block’ option to get rid of it completely.
Use our dedicated spam filtering software to ensure you never ever see those unsolicited emails.