Security Testing

How to Stay Protected from Phishing Attacks?

Listen to Cigniti's Audio Blog!

‘Camouflage’ refers to hiding or disguising one’s presence in a manner that makes it nigh impossible for others to identify/recognize someone. While natural camouflage is an incredible thing – and increases an animal’s chances of survival by deceiving predators, – acting as a weapon for them to hunt or protect themselves from attacks – ‘Phishing’ is a form of camouflaged email that is used by cyber criminals for deceiving people and organizations and causing and a lot of losses – whether financial or personal.

What the cyber-criminals do is to create clones of legitimate websites, and then deceive people into entering personally identifiable information (personal data), their login credentials etc.

Phishing is one of the most common methods of email malware infection. Out of 1000+ IT security decision makers, 56% confessed that the targeted phishing attacks are the top security threats they had experienced. According to Verizon’s 2018 breach investigations report, 92% of malware are transported through emails.

It doesn’t take much to realize therefore that Chief Risk Officers and Chief Technology Officers of large organizations always need to be on a lookout for such phishing-scams.

Few Popular Phishing Techniques:

  1. Website Forgery – A type of web based attack where the phisher builds a website that is completely autonomous, a replica of a legitimate website, intended to deceive an user by extracting sensitive, personal information that could be used to launch other attacks on the victim.
  2. Spoofing Attack – A situation in which a person or program impersonates as another device of network by forging data, to gain an illegitimate advantage like to launch attacks against network hosts, steal data, spread malware or bypass access controls. Types of spoofing attacks –
  • Address Resolution Protocol (ARP) Spoofing Attacks
  • Domain Name System (DNS) Spoofing Attacks
  • IP Spoofing Attack
  1. Spear Phishing Attack – An email or electronic communications scam, intended to an individual or organization. Whaling is a specific form of phishing, primarily targeting high-profile business executives. An email may contain improper spelling or grammar – which is a most common sign that an email isn’t legitimate; sometimes, it’s easy to spot the mistake. These hackers send emails that appear to be from trusted sources with a goal of obtaining personal/sensitive information. Such emails may also contain an attachment that has the potential to load malware into your computer, or have a clickable link to an illegitimate website that can hoax you into downloading malware or handing over your personal information.

How to Stay Protected from Phishing Attacks?

  1. Verify Website’s Security – It’s good to be a little cautious about supplying sensitive financial information online, if we are on a secure website; however, before submitting any sensitive information, make sure the site’s URL begins with “https” and there must be a closed lock icon near the address bar. Verify the site’s security certificate as well, if incase we get a message stating website may contain malicious files, it’s advisable not to open the site. We must not download files from suspicious emails or websites; because search engines may show certain links which can lead users to a phishing webpage.
  2. Keep Browser Up to Date – Security patches are released for popular browsers periodically. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. We must not ignore messages about updating your browser. Try to make it a habit of changing passwords frequently.
  3. Use of Firewalls – High-quality firewalls act as a gatekeeper between you, your computer and outside impostors. It prevents access to malicious files by blocking the attacks. We must use a desktop firewall and a network firewall. The first option is a type of software, and the second is a sort of hardware; they drastically reduce the likelihoods of hackers and phishers infiltrating computer or network when used together.
  4. Stay Cautious of Pop-ups – Many popular browsers allow us to block pop-ups; we can allow them on a case-by-case basis. If one manages to slip through the cracks, it’s better not to click on the “cancel” button; such buttons often lead to phishing sites. Instead, we can click on the small “x” in the upper corner of the popup window.
  5. Use Antivirus Software – There are abundant reasons to use antivirus software. Keep your software up to date, as new definitions are added all the time in line with the new scams. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Antivirus software scans every file which comes through the Internet to our system, it helps to prevent unintended damages.
  6. Be Sensible Before You Click – It’s reasonable to click on a link when we are on a trusted site. Clicking on links that appear in random emails and instant messages, isn’t such a wise move. Hover over links that you are unsure of before clicking on them. Observe if they lead to where they are supposed to? A phishing email may claim to be from a legitimate company and when you click the link of that website, it may appear exactly like the real website. The email may ask us to fill in our personal information. When in doubt, go directly to the source rather than clicking a potentially unsafe links.
  7. Stay updated – New phishing scams are being developed all the time; not being aware of these new phishing techniques can involuntarily make you fall prey to one. IT administrators, ongoing security awareness training and simulate phishing for all users is highly recommended in keeping security top of mind throughout the organization.
Related:  Software failures of 2016 that Testing could have prevented

Conclusion:

Most organizations today need a team to focus on performing security testing. They also need to emphasize other critical areas such as cloud security, performance, big data, and more; a lot of applications are launched in the market without being tested thoroughly and this had led to the critical need for pureplay independent software testing vendors who can provide the focused approach to testing, so desired.

The Security Testing services provided by Cigniti Technologies comprise an in-depth security analysis maintained by reports and dashboards that are comprehensive, in addition to remedial measures for any issues that may be found. Cigniti also has exceptional expertise in Security Testing for mobile applications, web applications, web services, and software products, both over the cloud, as well as on premise.

Over the past decade, Cigniti has assembled a knowledge repository, capabilities, and test accelerators, thereby leveraging the experience of working on over a hundred engagements, using latest industry standards (OWASP, etc.) and proprietary testing methodologies. Our team leverages passive security testing techniques (Social Engineering, Data Privacy, Architectural Risk Analysis, etc.) and active security testing methods (Ethical Hacking, Threat Modelling, etc.) using a combination of proprietary security, commercial, and open source testing tools. Cigniti processes are also aligned with ISO 27001:2013 standards which enables us to operate by adhering to the information security management system principles and practices.

To know more about the array of security-specific solutions our services can provide, visit our security testing services  and get in touch with our experts.

Tarak Mitra

Tarak has been associated with Cigniti Technologies Ltd as a Associate Manager – Process, with over 10 years of industry experience in process/product quality assurance & delivery excellence. A certified ISMS/ISO 27001 Lead Auditor, a certified Scrum Master, ITIL V3 Foundation, Lean Six Sigma Green Belt professional. He is immensely fond of music and prefers to play cricket, chess in his spare time.