InfoSec Newsletter Q3 2018 - The Phishing Menace

[Audio] Phishing Email Awareness NEWSLETTER FROM THE EDITOR: As part of a new awareness campaign, we will be sending you quarterly newsletters to engage the organization about information security best practices that you can apply at work and in your personal life. "Congratulations! You've won an iPhone. Please click here to claim your prize.." WHAT IS PHISHING? Phishing is an e-mail fraud method in which the fraudster sends out a legitimate-looking email in an attempt to gather information from users or install malicious software on their device. Fraudsters work hard to make these messages convincing by manipulating emotional triggers such as urgency or curiosity and by adding known logos or forging the email sender so the message appears more legitimate. HOW IT WORKS? Phishing attacks work by fooling victims to click on a malicious link or opening a malicious attachment (eg. malicious Word, Excel, Pdf, Powepoint, etc.) that may redirect them to a fake website or infect user's computer with malicious software that is intended to steal sensitive information such as your financial details or passwords. WHAT TO DO IF YOU SPOT A SUSPICIOUS EMAIL? If in doubt, please forward any suspicious email you receive to Corporate Information Security at [email protected]. Do not click on any links, open any attachments or reply to the mail. If proven to be malicious, the source will be added to the blacklisted sender list. Page 1 of 2.

[Audio] HOW TO SPOT PHISHING EMAIL? Below is a sample phishing email from a fraud security team, deceiving the user that unusual activities were detected on his or her bank account. User is manipulated into taking action by clicking on the malicious link or downloading the malicious attachment. The boxes on the right show phishing indicators you need to watch out for. In December 2015, Hackers took control of Ukrainian power distribution control centers and temporarily disrupted the electric supply to consumers for over 6 hours in the middle of winter. A subsequent investigation revealed that Russian Government backed hackers had gained access in June 2015 after a staff member opened an attachment in a phishing email. The hackers then mapped the network for 6 months before initiating the attack. This highlights the real risk from phishing, particularly for government related entities which are high value targets. Don't open ATTACHMENTS or LINKS in any unsolicited email received or from UNKNOWN senders. Report any suspicious activity. If you suspect your financial account was compromised, immediately touch base with your bank. If you suspect your work account or computer was compromised, please immediately contact [email protected]. Note that we may conduct phishing simulation attacks to assess our level of resiliency against this type of attack. Page 2 of 2.