Phishing is a type of computer attack that results in an attempt of identity theft. The attacker disguises his action under a seemingly legitimate request such as an email from a bank or a Skype message from a friend. The goal is to fetch the personal data of victims, passwords and login name, to steal his digital assets. Phishing usually acts coarsely, relying on numbers rather than quality. Some recurring factors within these attacks can thus alert:
Spear phishing is a derived form aimed a particular person. This technique requires more resources because the attacker must define his message so that it is directly addressed to the victim, which requires retrieval of information upstream. Spear phishing is particularly used in cases of industrial espionage or attacks targeting particularly wealthy people or those holding very sensitive information. Another declination, considered lower tech, is called SMiShing. The malicious intent is similar, but the vector used is the mobile phone or smartphone.
Like a theft of identity papers, the problem with phishing is to be able to detect where the spoofing stops. Since attackers have recovered your personal information, it is very easy for them to present themselves under your digital identity to different service providers. In addition, the steps to prove your true identity and regain control of these different accounts are long and tedious. It is therefore necessary to change his passwords regularly and not to use the same for different services.
In order to prevent threats from the phishing campaign, both the right tools and the right practices must be adopted. Among the most accessible tools are anti-phishing filters, proxy, made available by search engines. These are present in the navigation settings and do not require any special technical skills (Google Chrome, Mozilla Firefox, …). In order to supplement these filters, other initiatives allow to report phishing attempts and thus to keep the databases of web browsers up to date. At the level of Luxembourg, the phishing initiative has collected since the beginning of the year more than 35 000 URLs deemed dangerous. The free tool Web Of Trust also works via the contributions of its community of users and makes it possible to obtain, or to attribute, a note of trust to the websites visited. However, the use of technical means is not an end in itself and Internet users must first and foremost adopt a more cautious attitude towards the messages they receive. Employees must be able to take the time to acquire, develop and practice good reflexes to fight online scams. This may seem like a long time, but one must always take into account possible losses in the case of a successful attack and disastrous consequences for the image of the organization or company. These behaviors can be initiated through training or awareness campaigns, such as this article. CASES offers training for all types of professional audiences to raise awareness of these issues. Sources of information such as phishing.fr can also allow CISOs, and all employees, to access relevant information that is easily understandable.
“Phishing is primarily aimed at humans while exploiting our various weaknesses. In addition to the technical tools mentioned above, here are some tips to prevent leakage of information by phishing: