2.8.1 Phishing

Phishing is the act of sending emails to users to trick them into giving sensitive information that can be used to gain access to accounts, applications, servers, systems, or networks. The sensitive information could be passwords, security codes, social security numbers, bank account or credit card numbers, mother’s maiden names, etc.

A common phishing attack is to scare the user into thinking that their account with a legitimate company, bank, or credit card will be closed if they do not act on the email. There is a link within the email that directs the user to a website that looks similar to that of a legitimate company. The user is asked to enter personal information to verify their account details or update a credit card number, expiration date, or security code that the legitimate company would already have.

Employees should be made aware that they could become victims of phishing attacks by attackers hoping to gain passwords or information about the company by sending false emails supposedly from people within the company. If they are ever in doubt, they should never click on any links or reply to emails that request such information. Instead they should contact a person or the department directly using a phone number or email address that they already know.

Spy-phishing is sending a phishing message with spyware. Users are asked to click on a link or open an attachment. The spyware is then downloaded and spies on the user trying to locate sensitive information that can be sent back to the attacker. As with phishing messages, employees must be taught to never click on anything in these messages and delete them. Anti-spyware should be installed on their machines just in case they accidentally act on these messages.

Anti-phishing tools monitor application traffic for attempts at harvesting private information through seemingly trusted authorities. Without anti-phishing technology, users are vulnerable to misleading identity-theft campaigns disguised in e-mail addresses and Web domains.