Recently there have been stories about high level government officials having their Gmail credentials phished, LinkedIn accounts being targeted by phishers, and the usual daily background noise of phishermen going to work each day.
In this article a source is quoted as follows:
An example described by Ms. Parkour appeared to originate from the State Department and contained a link to a document named “Draft US-China Joint Statement.”
In fact, when clicked, the link summoned a facsimile of the Gmail login page.
The bogus page asked targets to enter their password, granting the attackers full access to their email account. Google said the attackers then changed settings so that all incoming messages would be forwarded to them.
The LinkedIn phishes look pretty realistic and most security experts probably wouldn’t notice the phony, but I can teach a novice to avoid those tricks, and if you are an IT professional you can teach your users as well. The Gmail and LinkedIn phishing attacks, as well as almost all such attacks, can be prevented by following two rules so simple that even a computer neophyte can understand.
1) Only a thief or an idiot will ask you for your password (or PIN). If you get an email that says that your email account will be disabled unless you provide information that includes your password, then it came from a thief. You don’t want to give your password to a thief. In other situations, it may be an idiot asking for your password, and you don’t want to give it to an idiot because they might give it to a thief.
I know, there are times that an IT professional has legitimate reasons for asking a user for their password, and that is when you have to be very careful about teaching why the exception makes sense. In most cases, the request for the password should involve a face-to-face meeting where the user knows the IT professional. Telephone phishing for passwords is an ancient art, don’t teach users to repeat mistakes. If you need to ask a user for their password, be sure to remind them to change their password as soon as you no longer have the need. Remind the user that for security it really is best to assume it is a thief or an idiot if their password is requested.
2) Never log into a website from a link in an email. Always type in the URL to the site and login that way. Got a LinkedIn request? You choose, victim or victor. If you clicked on the links in the email you probably would have fallen for the LinkedIn phishing attacks. If you log into LinkedIn by navigating there yourself, you will not be a victim. Got a new comment on your Facebook wall? Click on the link and you takes yer chances. Log into Facebook from https:www.facebook.com and you can read all about it there
Two simple rules will outperform 20 hours of phish identification training in protection effectiveness. Now, teach your users these rules and then go phish them to see who needs follow up education.