We’ve all been warned about cyber security phishing, and many of us have received emails sent by cyber criminals that link back to phony branded websites requesting personal data. We’ve been told to be wary of suspicious “from” addresses, spelling errors and unfamiliar URLs, and subsequently we’ve become significantly savvier — and more concerned — about protecting our private information from cyber security threats.
Not surprisingly, as Web users and technological phishing detection tools become more sophisticated, cyber security threats are evolving right alongside. Instead of casting a wide net and blasting thousands of emails out hoping to catch a few unsuspecting phish, spear phishers leverage the power of targeting.
Spear phishing takes trolling to the next level — it’s about hooking unsuspecting victims by improving the quality and relevancy of the communication. Based on the premise that a victim is more likely to open and interact with an email that they expect to receive from what they believe is a trusted source, spear phishing relies on identifying pools of people with something in common — where they work, where they bank, where they go to school, where they shop regularly. The pool may be smaller, but the hook rate is higher and the fraud is harder to detect.
While an informed Web user that banks at Wells Fargo might be suspicious of an email received from Bank of America requesting “account verification” data, that same user might trust an email that they believe came from their employer, their alma mater or their favorite online retailer. Why? Because it flows into the inbox along with other legitimate emails from the same sender. There’s no obvious reason to be suspicious of the cyber security risks.
The bait will swirl around in a sea of perceived urgency — “there’s a problem with your order,” or “please update your information to ensure you receive an invite to our special event.” It won’t seem out of the ordinary, and that’s precisely why phish bite.
Don’t get phished. No legitimate entity will ever request personal information via email. And if there’s a published phone number in the email, don’t call it. It’s phony, too. If the email contains a link to a URL, don’t click and follow it. Instead, manually enter the URL and see where you land. The FBI suggests using cyber security software, like a phishing filter — consider it. Whatever you do, don’t get hooked. It’s a huge hassle, and who needs that?
Watch Ryan Ward, Chief Innovation Officer at Avatier, describe how to return identity and access management to the business user with Avatier’s Identity Access Management software.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.