Cybersecurity Awareness Month: Recognizing Phishing Attacks

October brings to mind three things: busting out the fall wardrobe, Halloween and, last but not least, cybersecurity awareness. If you read that list and thought to yourself, “Cybersecurity awareness? Not me!” then congratulations, you are our target audience.

In conjunction with the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance (NCA), SonicWall is participating in Cybersecurity Awareness Month this October to spread awareness about key issues in cybersecurity.

In our last blog, we mentioned that while password hygiene and multifactor authentication are both crucial, they can be easily foiled by a successful phishing attack. Today, we’re going to cover the basics of recognizing phishing attempts and what to do if you spot one.

Phishing Frenzy

Phishing attacks are not a new phenomenon. They’ve been a favorite attack vectors of cybercriminals across the board for many years now. But every time cybersecurity tools get better at spotting them, they get better at hiding. That’s why knowing how to recognize phishing is more important than ever.

How to Spot a Phishing Attack

Hackers or scammers will often use emails or text messages to try and steal your login credentials, account numbers or even Social Security numbers. Once they have the information they want in hand, they can perform a multitude of nefarious deeds, such as accessing your email account or stealing money from your bank account. They may even be using you to access an organization you’re a part of, such as your workplace.

These cybercriminals are constantly updating their tactics to keep up with the latest news and trends, but they often exhibit some common characteristics that you can spot to avoid being their next victim.

These include the types of email or message phishers like to use. They’ll often be posing as your bank or a credit card company. It could be an email that looks like it’s from a coworker or your boss.

Oftentimes, these messages will say something like:

  • There’s been some suspicious activity with your account, and they need you to log in to verify.
  • You’ve missed an important payment or deadline and direct you to a link to rectify the situation.
  • You need to confirm some sort of personal information, like your Social Security number.
  • You must download an attachment or document, or login to your work email.

While some phishing emails have definite “tells,” the messages can also look quite convincing. They may look similar to emails you’ve received from real organizations in the past, even going so far as to use the official logo of the company in the header or a clone of it.

Some telltale signs of a phishing email include:

  • The message uses a generic greeting such as “Hello user” or “Hi dear.”
  • The message asks you to click on a link to update your payment details.

While real companies will sometimes communicate through email or text message, they will never email or text you asking for important financial or personal information.

What to Do When You Spot A Phishing Attack

If you receive a suspicious email or message that matches some of the criteria above, always leave the email or message and go to the company’s website directly to contact someone. (The links and numbers in phishing messages will always direct you back to the phisher themselves.)

By going to the company’s official website or calling their official phone number, you can ensure that you’re speaking with someone at the actual company and not a cybercriminal.

If you receive a suspicious email at work, you should report it to IT so they can be aware someone may be trying to infiltrate the company. If you received it in your personal email, you can forward the email to the Anti-Phishing Working Group at Suspected phishing via text message can be forwarded to SPAM (7726).

Protecting Yourself from Phishing

While phishing attempts can be scary, there are a number of tools and strategies that can help protect you and your organization. You can:

Taking just a few steps towards protecting your important information and accounts could be the difference in staying protected or becoming a victim of phishing.

Further Learning

While we’ve covered the basics, the more you learn about phishing, the better protected you’ll be. You can watch our School of Phish webinar series on-demand and learn about the different ways our cybersecurity experts handle real-world phishing incidents.

If you feel like you’re prepared to spot some phishing attacks, you can test your mettle against our phishing quiz, which will gauge your ability to identify phishing emails.

National Cybersecurity Awareness Month: Turn On Your MFA

In “Star Trek: The Next Generation,” Jean-Luc Picard famously said, “It is possible to commit no mistakes and still lose.” This applies to many things, including passwords: Even if you follow all the established best practices for password hygiene, your credentials can still be compromised if your network is breached, if an organization you deal with is breached, or through social engineering.

But despite Picard’s reassurances, where your network is concerned, this is a weakness. The market for stolen credentials is huge and growing, and it’s estimated that almost half of breaches in 2022 began with stolen credentials. Fortunately, this weakness is one that can be largely mitigated through the implementation of multifactor authentication (MFA).

What is Multifactor Authentication?

Multifactor authentication creates a higher threshold for identity verification. The name comes from the fact that users are required to provide multiple pieces of evidence, or “factors,” that they are who they say they are before being given access to an account.

These factors can be sorted into three categories, from least secure to most secure:

  • Something you know: A password, passcode or PIN
  • Something you have: An email, a confirmation text on your phone or an alert from your authentication app
  • Something you are: A facial recognition scan, retina scan, fingerprint or other biometric marker

While multifactor authentication asks for at least two of these, standard authentication only asks for first-category verification, generally a username and password. But these are by far the easiest for threat actors to steal, purchase or brute-force. By requiring another layer of security more specific to the user, multifactor authentication can stop the overwhelming majority of attacks.

Despite its effectiveness, however, a recent survey found that over half of small- to medium-sized businesses haven’t implemented multifactor authentication for their business. Worse, only 28% of SMBs require MFA to be set up.

Are You Ready to Take the Next Step?

Multifactor authentication is a valuable tool in helping keep your accounts — and your network — safe. But how effectively it does this depends on how well it’s implemented. While CISA and others have released more in-depth guidance for moving to MFA, there are some best practices that can help ensure your MFA journey is as smooth as possible.

  1. Make MFA a must for your entire organization. Mandating MFA to protect top executives, R&D or finance alone won’t do much good if someone in marketing, customer service or HR falls for a phish.
  2. Choose an authenticator app over receiving codes via text where possible. SIM-jacking is uncommon, but it does happen. Plus, this will cover you in cases where your cellular signal is weak or nonexistent.
  3. Be flexible about the implementation method. Allowing verification via authentication app, email or SMS messaging, based on whatever is most convenient to the end user, will help encourage uptake. While some authentication methods are safer than others, any MFA is better than no MFA.
  4. Check the web services you log into frequently. A growing list of services, such as Gmail, Facebook and others, offer MFA as an option.
  5. Many of the popular password managers also include MFA (in case you needed yet another reason to start using a password manager.)
  6. Set up passwords/passcodes on your laptop and mobile devices (if you haven’t already). Multifactor authentication can help prevent the vast majority of breaches, but you shouldn’t depend on it as a guarantee: Unless you’ve set up a biometric factor, it can’t do much if someone gains possession of your devices, particularly if your browser or operating system stores your usernames and passwords.

It’s important to note, however, that while multifactor authentication can go a long way toward ensuring your accounts (and your network) remain safe, it does share a few weaknesses with standard authentication methods. One of these is phishing: In next week’s blog, we’ll build upon our recent School of Phish Master Class to offer valuable tips on how to avoid falling for a phishing attempt.