Why phishing still works (and what to do about it) – Campus Tech


Internet security

Why phishing still works (and what to do about it)

Protecting against this age-old cybercrime tactic requires a combination of technology and intelligence. Learn how to help users spot a phishing threat and what to do if an attack penetrates your defenses.

Last fall, Howard University made headlines as a victim of a ransomware attack that forced the cancellation of online and face-to-face classes, among other operational issues. And the Washington, DC institution isn’t the only university hit by cybercriminals. Colleges and universities, with their vast stores of sensitive and personal information belonging to students, faculty and staff, are prime targets for attacks.

One of the most common ransomware attack vectors is phishing. This tactic has been around for decades—the term “phishing” dates back to 1995—and has been deployed by a variety of adversaries, from screenwriter kiddies to the most sophisticated nation-state actors. The biggest threat phishing poses to cybersecurity professionals isn’t the tactic itself (described below), but the damage it can do, especially when dealing with universities. One of the most effective ways to protect yourself from this threat is to teach people how to spot a phishing attempt and why they need to report it to the right people. In the following article, I describe the phishing threat and outline best practices to deal with this stubborn problem.

What is phishing?

Let’s start with an explanation of this important piece of enemy craftsmanship. Phishing is a social engineering technique that uses email to trick or deceive unsuspecting people into clicking web links or attachments that appear legitimate but are instead designed to compromise the recipient’s computer or the recipient’s computer Trick recipients into revealing credentials or other confidential information. Opponents, whether an individual criminal or a nation-state, fabricate such messages in a way that makes them appear legitimate. A phishing email can appear to be from your bank, your employer, your boss, or use techniques to extract information from you, for example by pretending to be a government agency.

Whether an attacker is an individual criminal or a nation state determines the motivation behind the phishing attempt. Motivations are diverse; For example, in a phishing email, an attacker might try:

  • steal account credentials to siphon funds from you or your university;
  • Steal your school account credentials to access your personal files; or
  • Deploy malicious software that allows them to gain access to your school or home computer or university network to steal personal records or intellectual property.

Regardless of the motivation, phishing offers adversaries a low-risk attack method that offers high potential for financial gains. And that’s why the phishing threat keeps us CISOs on our toes—adversaries keep using the tactic because it works. People are often busy and distracted, and tend to click links without thinking when they’re quickly checking their email between classes, meetings, or other activities. The data backs this up: organizations have an average 10% click-through rate, which represents a high likelihood that users will click on an improper link and reveal information or give their account credentials to a phisher.

A typical phishing attack involves sending out mass emails in hopes of tricking someone into clicking malicious links. The intent could be to deploy ransomware, steal existing account credentials, obtain enough information to open a new fraudulent account, or simply compromise an endpoint. Because everyone has an email address and the tactic gives the attacker so many options, phishing is a numbers game in a target-rich environment where relatively few need to be tricked for the attacker to benefit.


About Author

Comments are closed.