Topic: 08 2018 Phishing StaySecure Your monthly dose of cyber security The human element always was and always will be the most vulnerable part of IT security. Attackers abuse this fact and focus the vast majority of their attacks directly on company employees. What is phishing? Phishing is a method of stealing personal information that is focused mainly on login credentials. Attackers send fraudulent emails, that seem legitimate at first glance, to their victims, but actually they try to trick users and “force“ them to unintentionally leak sensitive data. Examples of this are requests to change password access to bank systems or requests for login to web pages where the users are registered. However, filled data by users are also sent to the attackers. Example of a phishing email What are the signs of phishing? Urgency • something needs to be done quickly Threatening • a fine if no action is taken From: PayPal<[email protected]> Subject: Password change required Unexpected request for • password change Hello, • login/registration we would like to notify you that we have • confirmation of any activity noticed the high amount of failed logins to • sending particular information your PayPal account. URL/email address similar to the legitimate one We appeal to you to change your password through the link below as soon as possible. In • e.g. goog1e.com vs. google.com – the number [1] a case that you do not change the password instead of the letter [l] to 24 hours, your account will be blocked due to precautionary purposes. Grammar mistakes • not necessarily included http://paypa1.com/login Shortened URL Thank you. • e.g. using bit.ly, goo.gl Different sender name and real email address How may I defend? What should I do when I receive a phishing email? • Investigate URL – spelling, no redirection, shortened URL • Establish multi-factor authentication • In case of a suspicious email, contact the sender (in a different way than responding to the received email, e.g. by a phone) and ask him about the email’s legitimacy • Do not provide any personal information if you are not sure • Notify the IT security department – sending the email to anybody from IT is enough • Do not download and open attachments • Use web browser extensions (e.g. Netcraft Toolbar, ScamBlocker) that detect phishing attacks Do you need any help? If you are interested in this topic, don’t hesitate to contact me. I will be more than glad to help you in all areas of Cyber Security. Logo InsertName Surname your[name.surname [email protected]], SecuritydetailsManager here.