Phishing (noun, ˈfiSHiNG): a form of social engineering attack in which scammers send a fraudulent message asking targets to click on a link or download a malicious file to trick them into disclosing sensitive data or installing a variety of other malware on their systems
You’ve probably encountered the term phishing in your company’s cybersecurity awareness training modules, but what you know about it may simply not be enough. Phishing scams take different forms and identifying them may be trickier than you think.
Phishing attacks have become increasingly rampant and costly for businesses, which is why it pays to sharpen your organization’s knowledge about phishing. According to one study, “85% of organizations have been hit by a phishing attack at least once.” Another study reveals that, on average, phishing attacks cost companies in the United States $14.8 million a year.
The cost of becoming a victim of a phishing scam is clearly astronomical. This quiz can help you find out if you are prepared to fend off phishing attacks.
How prepared are you for phishing attacks?
1. What type of attack involves phishers using employment details, affiliations, and other personal information to impersonate a target’s coworkers, friends, or business contacts, making it more likely for the victim to provide sensitive information?
- Angler phishing
- Spear phishing
- None of the above
2. You receive an email from your bank saying you won $10,000 in cash. You are asked to click on a link where you are required to provide your name, account number, and password to claim the prize, which will be transferred to your account. Do you...
- Report the email as spam
- Delete the email
- Tell your coworkers and IT team about the email
- All of the above
3. The following information about the different types of phishing are true except for one:
- Wire transfer phishing is an attempt to manipulate a target into making a fraudulent wire transfer to the attacker.
- Whaling is a kind of spear phishing attack in which an entity poses as the company CEO to target another employee within the same company.
- Smishing involves sending text messages containing fraudulent messages to target victims.
- Angler phishing is identity fraud in which attackers impersonate legitimate businesses’ support accounts to fool social media users.
4. Business email compromise (BEC) is a form of social engineering attack that utilizes a spoofed business email, which contains a malicious file, a phishing URL, or an urgent wire transfer request. If you suspect that you’ve encountered a BEC scam, which of the following should you closely inspect to verify if the sender is legitimate?
- Sender’s email address
- Sender’s closing salutation
- Date and time the email was sent
- None of the above
5. Which of the following should you do to avoid becoming a victim of a spear-phishing attack?
- Click on links in emails from unknown senders because they might be from someone important.
- Share a minimum amount of personal information on your online social network and professional profiles.
- Use the same passwords for all your company’s online accounts so you can easily log in to all of them.
- Download and install security software updates one month after they become available to avoid getting software update bugs.
Question 1: C. Spear phishing
Spear phishing is a targeted and personalized attack that involves attackers gathering information from their targets’ social networking profiles and other online profiles accounts. They then use this information to send fraudulent messages to targets, tricking them into giving out sensitive information like passwords, PINs, or account numbers.
Question 2: D. All of the above
If you receive an email from a purportedly legitimate entity saying something too good to be true, it probably is.
It’s best to report such email as spam, delete it, and inform the people in your team who may receive the same message.
Question 3: B. Whaling is a kind of spear phishing attack in which an entity poses as the company CEO to target another employee at the company.
Whaling is a form of phishing attack that targets company executives. A phishing attack in which a scammer poses as the CEO of a company or any high-profile executive in a company to trick an employee at the same company is called CEO fraud.
A holistic approach that includes raising awareness, implementing cybersecurity best practices, and deploying inbound email security software is effective against both types of scams.
Question 4: A. Sender’s email address
Checking the sender’s closing salutation and the date and time the email was sent is of no use in spotting BEC, but checking the sender’s email address will.
A BEC email typically has a misspelled email address that may be easy to miss. So if you receive an email from John Smith from Chase Bank telling you to urgently make a funds transfer, watch out. If the email address is firstname.lastname@example.org instead of email@example.com, it’s likely a fraudster.
Question 5: B. Share a minimum amount of personal information on your online social network and professional profiles.
The more personal information you share online, the more you risk being targeted by attackers. Post as little information as you can online, or keep the settings of your online profiles private to make sure you’re not exposing you and your company’s data to cyber scammers.
If you got 4–5 answers correct, it means you are sufficiently prepared for phishing attacks. If you got less than that, we’re afraid you simply must do better. Fortunately, HERO Managed Services LLC can help you strengthen your organization’s cyber defenses. Get in touch with our team today for a FREE IT consultation.