In light of Safer Internet Day, CBR picks the brains of security specialist Lee Weiner to help you, your friends, family and colleagues protect yourselves against phishing scams.
As you mayalready know, this is Safer Internet Day. Although the day itself tends to be aimed at educating the next generation of Internet users, it also represents a great opportunity to reengage your end users about the importance of staying safe online.
If you are working in IT or security, you no doubt already know about security hygiene basics. But you could probably do with some help getting end users to take you seriously. So this week, in support of Safer Internet Day, CBR has teamed up with Lee Weiner – SVP of products and engineering at Rapid7, provider of security risk intelligence solutions – to bring you a series of useful guides that you can cut and paste into an email and send to users as a good reference for safe online behaviour.
User education is hugely important because increasingly the usersare the ones that represent the greatest threat to your environment – clicking on links, sharing information, losing laptops, downloading shady apps and using cloud services without telling you. Essentially every user is now a point on your perimeterand every user is a potential target.
First up to go under the spotlight is phishing. It can be easy to assume that everyone knows about phishing and wouldn’t fall for an email claiming they’ve won £100,000 or click on a link from a recipient they don’t know. But don’t be so sure. Reminding users again and again of the risks might help them become more judicious about which links they click.
So, here’s the lowdown on phishing:
What is phishing?
Phishing is basically someone using email to try to get you to do something or tell them something that enables them to compromise you in some way. As the name suggests, this typically works by dangling some kind of bait in front of you. One of the most famous examples of phishing is the Nigerian 419 scam, which lured people into giving their bank information with the promise of huge riches.
Other kinds of phishing emails try to convince you to open an attachment or click on a link. These can lead to your computer (or whatever device you read the email on) becoming infected with something nasty. Or it could lead you to unknowingly giving a criminal your security credentials for a site. For example, say you receive an email from LinkedIn saying someone wants to connect with you. You click on the link and you get the login page for LinkedIn. Pop your password in and land on the page you expected to be sent to. Everything looks normal and you have no idea that you just gave your LinkedIn password to a criminal.
Phishing that specifically targets you is called "spear phishing." This means the attacker uses information hehaslearned about you – for example from calling the switchboard or looking at your social networking profiles and interactions – and then creates an email specifically designed to look highly plausible to you. These emails can be very credibleand hard to spot. Why would someone want to target you in this way? They might not be targeting you personally, but using you as a way to get a footinthedoor of your corporate network. Or it could be that they’re ultimately after someone in your network. You never know how tempting a target you might represent to an attacker, so it’s important to be vigilant.