Trust No One.
When it comes to phishing, the malicious actors are hard at work thinking of new ideas to trick users.
When reading an email from an unknown or even a known source it pays to be skeptical.
- Don’t open unknown attachments they could contain anything; you just don’t know.
- Don’t click links contained within an email as they can lead to a falsified page made to imitate the intended site, once your credentials are entered, the bad guys win.
- Don’t Replay to the sender as this at a minimum informs the sender that there is someone at the receiving address of the email.
Phishing has advanced over the years, the old tricks to identify a phishing attempt can’t be relied upon. Those annual phishing refresher courses your company offer can be boring but do contain useful information.
One example of phishing advancements is the use of Cyrillic characters, the roman letters are what the majority English speakers use. Cyrillic characters are often used to mimic roman letters which look similar enough but can lead to completely different but usually malicious paths instead of the intended website. Multiple examples exist of URLs utilizing different language keyboards to trick users to enter their login credentials to a false front page. See the graph from Bleeping Computer below.
All users should follow a few basic guidelines to decrease your chances of being phished.
- Avoid clicking links in email for all email messages. For known users within a work environment certain exception can be made by clicking links within an email. Overall if you can normalize the behavior of avoiding to click links contained within an email and instead type the URL in the address bar yourself it will further reduce the likely hood you would make a mistake on a phishing email.
- Standardize using an Email Headers in front of the Subject line for your team or organization. This email header will be unknown to outsiders and help fellow employees identify a legitimate email. This is an example of the Email Subject line: [Team Name] Update on the Team Project
- Enable Two Factor Authentication on EVERYTHING! Good Password practices along with enabling multi-factor authentication will go a long way to protect you and your organization.
- Use different passwords for each website, if you use the same password for every website, and a hacker obtains your email/password combo they will test it on every possible site. I highly recommend password managers, which provide the advantage of generating a highly secure randomized password for each website.