Expanded Definition: Phishing

What is phishing?

With so many cybersecurity tools available today, humans are often the weakest point in an organization’s cybersecurity posture. We’re curious creatures, and it’s often tempting to open that mysterious email, click that link, or download that attachment. And all of these temptations are parts of phishing.

Phishing Definition

If you’re looking for a phishing definition, it’s straightforward: Phishing is a form of social engineering where threat actors try to trick users into an action that compromises their account, device, or network. They do this by posing as a trusted source. Like the name implies, these threat actors are fishing for someone who will share details that can be exploited for financial gain—and they often catch a bite. 

Oftentimes, phishing takes the form of emails that:

  • Appear to come from an important organization, such as a service or software provider
  • Look like they come from a trusted colleague or employee

These emails may ask the user to do something, including:

  • Sending sensitive information over email
  • Wiring money or sending payment somewhere
  • Clicking a link to reset a password 
  • Requesting personal information or other credentials
  • Downloading a file (which can contain ransomware or other malware)

Phishing poses a significant risk to organizations of all sizes; from big organizations to small to mid-sized businesses (SMBs), any individual, company, or industry can fall prey to a phishing attempt. 

The MSP role in stopping phishing

Even with great training, firewalls, antivirus software, and email filtering, phishing presents an ongoing concern for organizations of all sizes. Social engineering attacks such as phishing and its cousin smishing (phishing via SMS / text messages) continue to be common forms of attack because they are effective. 

MSPs can help clients defend against phishing in several ways.

1. Provide tools to catch bad emails and prevent damage

One of the best ways to prevent an end user from engaging with a phishing email is to prevent them from ever receiving it in the first place. Strong spam and email filtering tools can help block many phishing emails.

In the event that a phishing email breaks through and a cybersecurity incident occurs, MSPs can help organizations by catching the problem quickly (see point number three below) and addressing the problem with strong anti-malware software. By moving quickly, MSPs can reduce the impact of possible malware, such as viruses or ransomware.

2. Offer cybersecurity training to clients 

When bad emails do slip through filters, ideally the end user will know better than to respond, share information, or download an attachment. The only way they can learn that, however, is with training.

With headlines about cybersecurity breaches, you’d be surprised how many end users still ask: “what is phishing, anyway?” MSPs can help their clients prevent risky behaviors by offering cybersecurity training to employees. 

For example, a cybersecurity training session could include:

  • A phishing definition, information on phishing emails, and what to look for
  • How to securely manage passwords and other account information
  • Caution in web browsing and email usage, especially on mobile devices 
  • Best practices for keeping their physical laptops, desktops, or mobile devices secure

A little education can go a long way when it comes to phishing. With the right awareness, end users may think twice before emailing a password, sharing a sensitive document, entering credentials into an online form, or downloading a potentially dangerous file.

3. Monitor every endpoint, all the time 

Phishing is a widespread phenomenon, so it’s possible for an incident to occur even with great cybersecurity tools and training. That’s why an around-the-clock, robust endpoint management program is crucial to protecting clients from not only phishing attempts, but from a range of other cybersecurity threats as well.

MSPs should use a remote monitoring and management (RMM) tool to keep an eye on every endpoint, all the time. With ongoing visibility into clients’ systems, MSPs can keep an eye out for any unusual activity, reset passwords as needed, and investigate unauthorized programs or suspicious activity.

FAQs

Phishing is a type of social engineering attack where hackers use some type of “bait” to lure end-users into opening malicious emails or downloading infected links or attachments. These attacks play on the curious, vulnerable human nature of non-IT employees. Often, phishing emails come from fake accounts posing as trusted sources. If end-users aren’t trained on these types of emails, they can be very easy to fall for.

Phishing attacks can come in any number of formats, so it can be hard to tell if a particular email is threatening. Here are 5 signs to train your clients to look for to help their team spot malicious emails:

  1. Spelling Errors – Hackers misspell certain words intentionally to dodge email spam filters
  2. Unusual requests – companies may ask users to provide personal information, redeem gift cards in their name, etc. to gain personal information or money
  3. Asking for personal information – Be wary of fake invoices or emails. Some may look like they come from government organizations to trick users into giving out their contact info. Legitimate companies won’t ask for sensitive information via email.
  4. Strange email addresses – companies should have their own domain email. For example, if a user receives an email from Costco Wholesale, but the email address is “…@cbcbuilding.com” it should raise a red flag.
  5. Unusual email content – If the subject of an email seems strange or irrelevant, it may be a sign it’s a phishing scam. Avoid clicking links or giving information in any emails that ask you to send money to sick family members, invest in a new startup, or offer you amazing returns on a can’t-miss investment.

A phishing email is an email used as “bait” to trick end-users into giving away sensitive data. These emails could request personal information, login information, or prompt a user to download a malicious file or link. 

Phishing emails are handled by the Federal Trade Commission. If anyone on your team or your clients’ teams receive a malicious email, it can be reported by forwarding the email in question to: reportphishing@apwg.org.