Phishing and You

I once asked a very experienced member of the National Security Agency if we could "trust" the AES-256 ciphers. These ciphers are often referred to as "military grade" and generally very respected to keep data safely encrypted. He said, "Yes. Trust AES-256. Because it is far easier to corrupt the human who has access to the key to decode the data, than to crack the encrypted data with a supercomputer." It had never occurred to me to attack the human part of the equation - I always thought you attack it with computer muscle.
 
The astonished reaction on my face made him chuckle.
 
Phishing, which is also commonly referred to as a Social Engineering attack, is where an attacker uses human interaction with you to obtain or compromise information about you, your company, or your computing systems. Sometimes these attacks are to get specific information about you, so that it can be used in identity theft, or to otherwise compromise your digital life.
 
Phishing attacks often use email or links to fake websites to obtain personal information by posing as a trustworthy organization. An attacker may send email that looks like it's from a reputable credit card company or financial institution that requests account information - often suggesting that there is a problem with your account! When users respond with the requested information, attackers can use it to gain access to the accounts. Maybe you've seen this kind of thing attempted. But how do you tell what's bogus??
 
The Cybersecurity & Infrastructure Security Agency of the US government offers these tips:

• Suspicious sender’s address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
• Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email.
• Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
• Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
• Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. Try to verify who's contacting you.
• Do not provide personal information or information about your organization, including its structure or networks, unless you know who you are talking to.
• Never reveal personal or financial information in email, and do not respond to email solicitations for this information. DON'T click on links sent in email.
• Don't send sensitive information over the internet before checking a website's security. Make sure you see a closed padlock icon in the browser's UI. Use only URL's that have "https://" (notice the S there).