{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1100px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

What Every Business Should Know About Phishing (Part 2)

by Jason Blalock on October 11, 2018

phishing can impact all devicesWelcome back to our series on phishing!  As discussed before, phishing is one of the single most dangerous forms of cyber-attack to face a business because it targets humans, rather than machines.  After all, even the best security measures can be undone by a single human error.

In the first article, we went over the basics of phishing, and discussed the three most commonly-seen types of phishing attacks.  Here, we'll continue cataloging types of phishing along with a few suggestions on how to avoid them.

start at part 1

Know Your Phishing Attempts! (Part 2)

1 - Whaling

Whaling - as you can probably guess - is simply phishing that's targeting a very high profile target.  The basic techniques are the same as in any other kind of phishing, but attackers will often go to great lengths trying to gain the trust of their target.  This is when phishing can most resemble "The Sting" style high-stakes confidence jobs.

don't take the baitPreventing whaling mostly means impressing upon executives and board members that they are targets for attack and need to be aware of how their position attracts criminal activity.  Everyone needs to be wary.

2 - Clone Phishing

This one is a bit specialized, but can be devastating when the attacker pulls it off.  Basically, the attacker gains access to another employee's email (much as in CEO impersonation) but rather than send false requests, they send a cloned copy of a previous email which had an attachment.  Except they substitute a compromised attachment with virus or other payload.  It's just another way to make trojan-style email attacks seem legitimate.

These can be tough to detect, so it's important employees remain aware.  Why would someone send a duplicate of a previous message?  That should ring a warning bell.  Follow up with the supposed sender and find out if it's legitimate before opening the attachment.

3 - Cloud Phishing

The rise in usage of public cloud storage services - such as Dropbox or Google Documents - has created an opportunity for attackers to try to leverage them.  Attackers create fake websites designed to mimic the logon screen for these popular storage services, then target users with messages inviting them to login.  While these attacks are rare, they can be extremely convincing if they're used in conjunction with a hijacked email account.

Fortunately, they still can't perfectly mimic the URL of the site they're imitating, so always look closely at the web address before logging in.

4 - Vishing (Voice Fishing)

Amazon, Apple, and Microsoft are the most spoofed brands

Finally, don't forget that fishing can happen over the phone as well.  There are numerous techniques attackers might use to try to trick people into verbally giving up important information over the phone.  These are most commonly impersonating financial institutions, usually trying to get a target's PIN.  Tech support based scams are also common, with attackers impersonating Microsoft or Apple employees.  

Generally speaking, any situation where you receive a call telling you to call another number should be viewed with great suspicion.  Legitimate businesses almost never do this.  Likewise, demand credentials or other proof if you're cold called by someone claiming to work at a financial institution or tech support center.

Coming Soon: Increasing Employee Awareness Of Social Engineering

In the third part to this series, we'll be taking a step back to look at employee training: how to recognize phishing and other "social engineering" attacks, and what sort of procedures you should have in place to deal with them.

sophos phish threat

 See you then!  In the meantime, if you want more advice on shoring up your security or want to try out your defenses with a simulated penetration test, just contact Hummingbird.

Topics: Sophos, Network Security, Networking