Phishing is a serious threat to organizations. Training employees about phishing can help. As we approach the upcoming holiday season, it is important to keep our guard up for phishing attempts. The combination of federal holidays, ongoing COVID-19 pandemic, and individuals’ vacations around the holidays (such as Thanksgiving and Christmas) create opportunities for malicious phishing attempts.
What is phishing?
Phishing is a type of social engineering attack. It can come through an email or phone call or text message. This type of attack tries to get individuals to give personal information (such as credit card numbers or passwords) or it tries to get them to download malicious software.
Increased Vulnerability Around Holidays
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA 2020), attackers may try to take advantage of times when we have our guard down, especially during:
- Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
According to a report by Zscaler (2019), phishing attempts increased more than 400 percent the first 13 days of November compared with the beginning of October. This can be from phishing attacks targeting online shoppers. For example, attackers may send “special offers” to click on and download malicious software or may send attempts to compromise one’s personal account (by posting as a legitimate request) to obtain credentials. But phishing also goes beyond online shopping schemes and also includes targeting vulnerabilities in businesses .
For example, a supervisor may be out of the office on holiday and try to contact an employee or access a shared drive from an unknown device. A consultant may try to contact you right before a holiday with an invoice, and there may be no one in the office able to approve it for payment. These scenarios are meant to show how holidays can disrupt normal communication flows in an office. These types of scenarios are common, as we all work in some ways remotely and navigate different challenges to stay in contact with colleagues and keep the workflow moving.
What can we do to prevent phishing attacks?
Information technology folks and network administrators at your organization will generally use security measures to make it more difficult for a phishing attempt to make it to you (such as email firewalls and quarantine). However, attackers can still get through. And it’s up to your employees to recognize the attempt, report it, and avoid giving personal information.
It’s not as simple as just telling individuals not to “click” on a website or open an email. Attackers are sophisticated and can create emails or messages that look just like the legitimate source.
Appropriate anti-phishing training can help.
CITI Program’s Information Security course includes a new module on phishing entitled Anti-phishing: Strategies to Identify and Combat Phishing. This module defines phishing and raises awareness of phishing scams. It discusses why phishing is a leading cause of cybercrimes. It uses examples and cases to help individuals recognize phishing attempts. Further, the module identifies ways to respond to a phishing attempt.