Avoiding the Bait – The Importance of Recognizing Phishing Attacks
With cyberattacks on the rise, it’s important for businesses to know how to identify and guard against them
By Craig Freiday, IT Security Analyst, Acera Insurance (formerly Rogers Insurance)
Phishing is a term that everyone hears these days – especially as cybercrimes become increasingly common. In 2021 there were 623 million ransomware attacks, double the amount from the year before.
So, what is phishing and why is being able to recognize it so important in a personal and commercial setting?
Phishing is a type of cyberattack that uses email, phone and text to coax individuals into sharing sensitive information such as credit card numbers, passwords and confidential details about an organization. It’s the technique with the biggest probability for compromising information technology security, sitting at about a 50 per cent chance of success.
The remaining 50 per cent is broken down into techniques that include (but are not limited to):
- scanning and compromising the target system based on the versions (age) of software and services that are in place, and;
- deciphering any weak passwords/credentials that are required for access
According to IBM’s years Cost of a Data Breach Report the global average cost of a data breach hit a record $5.5 million Canadian between March 2021 to March 2022.
Phishing preys on the fact that not everyone has extensive experience in information technology and cyber hygiene. People work best when they have a certain level of autonomy, but we do occasionally make mistakes. A good phishing email is designed to look as legitimate as possible which can make them hard to detect. Every time you click a link or download an attachment, you are enabling whatever lies behind it to walk through your door.
Because it can be easy to make the mistake of letting something through like a piece of malware, businesses with strong cyber security practices will also have defences inside their network because they know it’s not “if we get breached” but “when we get breached.”
How to identify a phishing email
The best defence to protect yourself from phishing is to learn how to spot a phishing message – which can be difficult with some of the top impersonated brands being companies like Microsoft and Facebook. If you receive an email or message that you suspect is a phishing message, it could include the following:
- An urgent call to action or threat that claims you must click a link, open an attachment or call someone immediately. By creating a false sense of urgency, the cybercriminal is hoping that you won’t think before responding.
- A sender you don’t know or a message that you weren’t expecting. If someone is emailing you that you don’t recognize, make sure to examine the email extra carefully before you proceed – especially if there is a call to action within the email. If it’s an email from someone you know, but the request seems out of the blue, follow up with them directly and in-person.
- Obvious spelling and grammatical errors that are out of character for the sender.
- Inconsistent email addresses, links and domain names that don’t match the organization that the sender says they’re from. You can double check this by hovering your curser over the sender’s email and links to see what they actually say – remember not to click on anything!
- Requests for sensitive information such as your credit card or banking information, passwords, tax information or anything else that could be used to steal your identity or gain access to your computer or phone.
It’s important to train your staff regularly on cyber protection. Routinely educating employees on cybersecurity best practices sets them up for success in both their professional and personal lives by giving them the tools to think critically and identify potential risks.
The importance of password length
A weak or stolen password is a hacker’s ideal weapon to use in personal and professional settings. A common phishing attempt is to have a user input their credentials into a fake website which will record your password for later use. This phishing email attempt may seem familiar: “You have (some number of) unread emails that could not be received. Click the link and sign in with your email and password to receive them.”
Password cracking is a guessing game, and the advantage for hackers is that some of their computer hardware can play the game at half a million guesses every second, even with a relatively basic setup. If you have a weak password – this can make the guessing game relatively easily.
Passwords that meet certain lengths, usually at least 12 characters, are essentially uncrackable. This makes receiving them through a simple phishing email a much better option that potentially spending hours, days, or even months trying to guess.
Computer hardware technology is improving every day, but currently, if a password reaches approximately 12 or 13 characters in length and has at least uppercase mixed with lowercase characters, it can take years to crack it.
In addition to password lengths, another security step is multifactor authentication. This is a commonly used technique that creates a multistep process to prove the user’s identity. Depending on the system in place, multifactor authentication will typically ask for your username and password and then provide a code through an authenticator app on your phone. With passwords becoming increasingly unreliable, multifactor authentication is a huge help in ensuring the safety of our online environments.
Practicing good cyber hygiene
Cyber hygiene is a set of practices that organizations and individuals enact to maintain and improve the security of users, devices, networks and data online. Some key best practices include:
- Backing up data on a regular basis to a secondary source such as a hard drive or cloud storage. This ensures that your data is protected in the event of a breach.
- Updating software and hardware to maintain performance.
- Regular password changes for passwords that are at least 12 characters in length and include upper and lowercase letters, as well as numbers or symbols.
- Limiting users with admin-level access to key programs.
- Implementing cyber security training and protocols so that employees know what to do in the event of a breach.
Typically, these defenses will help scan and protect to help prevent mistakes that result in a breach. However, best line of defence against cyberattacks is a user that is educated about how to spot them.
In addition to practicing good cyber hygiene, don’t forget to invest in cyber liability insurance that can protect you in the event your data or network infrastructure is compromised. Contact one of our experienced brokers to review your cyber security needs and policy coverage or get a quote today.
Learn more about cyber liability insurance and how to get a policy.
Craig Freiday is an IT Security Analyst with Acera Insurance (formerly Rogers Insurance). Craig specializes in cybersecurity and has been in the field for over three years. He spent two years in SAIT’s Information System Security program and has been a part of our team since graduating.