Nobody wants to believe they can become a victim of a phishing attack. After all, you’re smarter than that, right? The truth is that even smart people fall for them, and phishing attacks are on the rise as a result. However, the tactics they use have changed in the last year or so.
When phishing was first on the rise—just a year or so ago—the attackers were very specific in the email address the used when spoofing. They thought that the email address it was from had to match the intended person they are spoofing exactly.
But the email providers adjusted to those tactics. In fact, the default setting with providers like Google Apps is to block emails like those. The providers know that they’re coming from an untrusted server and therefore block the email or mark it as spam.
Then the attackers changed their tactics. They set up an email account on Yahoo, but made sure to still get the first name and last name correct. They asked for sensitive information like a bank transfer form or something like that.
Those types of email don’t always go to spam. If you don’t have the right kind of security in place, you could accidentally reply, provide the information that they asked for, not knowing that it wasn’t your coworker at all.
The success rate of the attacks went way up once they switched to that tactic!
While some organizations can’t or won’t do this for other reasons, one thing you can do is take your list of employees off your website. The first thing these attackers do is look for who they should impersonate.
So if you have your employee list on your website with first name, last name, and title, the attackers have a full blown roadmap of who they should impersonate! So if you don’t have that on your website, it’s more secure.
If your email is hosted through Office 365, they have a solution called ATP—Advanced Threat Protection. You can enable that service and then specify the users that are most likely to be impersonated, and it will protect your team against phishing emails that impersonate those individuals.