A Near Attack
A few weeks into a new role, Jane received an interesting email supposedly from her “colleague” Stacy. Stacy welcomed Jane to the team and asked for some time in her day. There was, of course, a smart attempt to cover up any tracks – a clause about Stacy entering a meeting and was only available to communicate via email.
As Jane pondered over the content of the email, other red flags became apparent. Although she in fact had a co-worker called Stacy, the email was sent from a sketchy address and was missing the signature usual for emails emanating from the office.
With each passing day, scammers develop ingenious ways to attack unsuspecting victims. Publicly accessible information from organizations’ websites and internet activity is unfortunately employed as a springboard for a malicious attack. The Canadian Centre for Cyber Security outlines different ways by which phishing could occur. These include:
- Spear phising: A personalized attack which may contain specific details about a victim (as happened with Jane).
- Whailing: A personalized attack that targets a big “phish” such as the Chief Executive Officer because of their possible access to sensitive information.
- SMiShing: An attack using SMS (texts) where a scammer impersonates someone known by the victim or poses as the provider of a service used.
- Quishing: An attack involving Quick Response (QR) codes that re-directs victims to malicious websites when scanned.
- Vishing: “Voice phishing” which involves defrauding people through voice calls, enticing them through means which appear legitimate, to divulge sensitive information.
Phishing attacks typically result in identity theft, fraud, and the transmission of computer viruses. There have also been ransomware incidents where files have been encrypted, organizational data stolen and significant ransom payments demanded. In the case of Jane, she deleted the email and never responded to the sender’s request. This protected her account from being compromised and the entire organization from a potential security breach.
The onus is on organizations and individuals to protect personal information and personal health information (where applicable). Employees are generally advised, in the case of suspicious phone calls, not to divulge any personal or sensitive organizational information and to end the call immediately. They are also cautioned not to open any suspected phishing emails, but if do, they should:
- Not click any links or download any attachments in the attached email.
- Not respond to the sender.
- Swiftly report in accordance with their organization’s standard operational practices.
- Delete immediately!
In the unfortunate event that a person falls victim to an attack, immediate steps to be taken include scanning devices for viruses and other malware, changing affected passwords, enabling multi-factor authentication across their devices and informing co-workers to contain the breach and prevent future attacks. Privacy awareness training and cybersecurity training are a good starting point in the fight against phishing attacks.