This month is the 18th Annual National Cybersecurity Awareness Month in the United States, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance. This year’s theme is again “Do Your Part. #BeCyberSmart.” Being Cyber Smart includes awareness of current threats like business email compromise (BEC), ransomware, supply chain compromise, and phishing. This Alert addresses phishing, which is CISA’s focus topic for this week, “Phight the Phish!”
Phishing uses fraudulent (spoofed) emails for criminal purposes, like installing malware, stealing money, and obtaining information such as login credentials, bank account information, personal information, and confidential business information.
The number of phishing attacks has increased during the COVID pandemic and remains high. The Anti-Phishing Working Group (APWG) has reported, “After doubling in 2020, the amount of phishing has remained at a steady but high level. APWG saw 222,127 attacks in June 2021, which was the third-worst month in APWG’s reporting history.”
Phishing is a frequent and dangerous threat. CISA has reported that over 90% of successful cyber attacks start with a phishing email. Given this high risk, prevention of phishing and response to phishing should be included in comprehensive cybersecurity programs for businesses and organizations of all sizes. Particularly important is training to promote constant security awareness by all users of technology. One important message from CISA is “Think before you click.”
The following are Email Security Tips from Clark Hill’s ASSET360 group to help to protect against phishing:
- Be alert for telltale signs:
- Poor wording, typos, fuzzy/incorrect logos, generic body message
- Unexpected/strange timing/oddly constructed
- Instills urgency, greed, curiosity
- Look for suspicious From addresses or Subject lines
- Hover over URL hyperlinks to view the real web address
- Never click links or open attachments
- Use multi-factor authentication (MFA)
- Ask: “Would this person be sending this request?”
- Verify requests (e.g. wire fraud and change of payment instructions) verbally from a known contact at a known number (not in the email)
CISA has published a Phishing & Spoofing Tip Sheet for this week’s topic.