Skip to main content
SANS Security Awareness

Utility nav

  • GDPR
  • Support
  • SANS.org
  • Contact
  • Request Demo

Main navigation

  • Products
    • Products Overview Column
      • Products

        Build and mature your security awareness program with comprehensive training for everyone in your organization.

        View Products
    • Security Training Solutions
      • EndUser Training

        Security Awareness training designed by experts.

      • Phishing Tools

        Tiered-template phishing simulation tool designed for all learners.

    • Products - Training Span
      • Engineer Training

        Train all learners involved with Industrial Control Systems. 

      • NERC CIP Training

        Relevant Critical Infrastructure Protection training meeting compliance. 

      • Developer Training

        Protect web applications with secure coding practices. 

      • Healthcare Training

        Train learners following HITECH and HIPAA standards. 

    • Events
      • Courses & Summits

        Gain key insights and practical information in security awareness program building from experts in the field with our Summits and training courses. 

  • Why SANS
  • About
    • About Overview Column
      • About

        SANS has been around as long as the Internet. Learn about our history, experts and events around the world.

        Read About SANS Awareness
    • About Column 1
      • Our Experts

        World-class experts covering every aspect of security awareness and defense.

    • About Column 2
      • History

        Read about the SANS Security Awareness legacy.  

    • About Column 3
      • News

        Check out what’s going on with SANS Security Awareness in the news.

  • Reports
  • SSAP Credential
  • Case Studies
  • Blog
  • Resources
    • Resources Overview Column
      • Resources

        Looking to build and mature your security awareness program? These resources will enable you with the topics and techniques to improve your learner’s awareness in security.

    • Resources Column 1
      • Blog

        Read from subject matter experts and guest authors about the latest going on in security awareness.

      • Security Awareness Planning Toolkit

        Resources to help you plan, develop and deploy an effective program.

    • Resources Column 2
      • Posters

        Developed by the community for the community. Download and share these awareness posters with your organization.

      • Video of the Month

        Our popular VOTM program allows you to get an inside look of security awareness training on relevant topics affecting our society today.

    • Resources Column 3
      • OUCH! Newsletter

        The world leading security awareness newsletter. Offered in multiple languages, created by a community of experts.

      • Webcasts

        Gain deep insights from subject matter experts on security awareness, program building, behavior change and more.

Mobile Menu

December 2015 • The Monthly Security Awareness Newsletter for Everyone

Phishing

Overview

Email is one of the primary ways we communicate. We not only use it every day for work, but to stay in touch with our friends and family. In addition, email is now how most companies provide online services, such as confirmation of your online purchase or availability of your bank statements.  Since so many people around the world depend on email, it has become one of the primary attack methods used by cyber criminals. In this newsletter, we explain phishing, a common email attack method, and the steps you can take to use email safely.

Phishing

phishing computer screen

Phishing refers to an attack that uses email or a messaging service (like those on social media sites) that tricks or fools you into taking an action, such as clicking on a link or opening an attachment. By falling victim to such an attack, you risk having your highly sensitive information stolen and/or your computer infected. Attackers work hard to make their phishing emails convincing. For example, they will make their email look like it came from someone or something you know, such as a friend or a trusted company you frequently use. They will even add logos of your bank or forge the email address so the message appears more legitimate. Then the attackers send these phishing emails to millions of people. They do not know who will fall victim, all they know is the more emails they send, the greater the chance for success. Phishing is similar to using a net to catch fish; you do not know what you will catch, but the bigger the net, the more fish you will find. There are several ways attackers use phishing to get what they want:

Harvesting Information: The attacker’s goal is to harvest your personal information, such as your passwords, credit card numbers or banking details. To do this, they email you a link that takes you to a website that appears legitimate. This website then asks you to provide your account information or personal data. However, the site is fake, and any information you enter goes directly to the attacker.

Malicious Links: The attacker’s goal is to take control of your device. To do this, they send you an email with a link. If you click on the link, it takes you to a website that launches an attack on your device that, if successful, infects your system.

Malicious Attachments: The attacker’s goal is the same, to infect and take control of your device. But instead of a link, the attacker emails you an infected file, such as
a Word document. Opening the attachment triggers the attack, potentially giving the attacker control of your system.

Scams: Some phishing emails are nothing more than scams by con artists who have gone digital. They try to fool you by saying you won the lottery, pretending to be a charity
needing donations or asking for your help to move millions of dollars. If you respond to any of these, they will say they first need payment for their services or access to your bank account, scamming you out of your money.

Protecting Yourself

In almost all cases, opening and reading an email or message is fine. For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack. Here are the most common ones:

  • The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account. The attacker wants to rush you into making a mistake without thinking.

  • You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of unannounced layoffs, employee salary information or a letter from the IRS saying you are being prosecuted.

  • Instead of using your name, the email uses a generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.

  • The email requests highly sensitive information, such as your credit card number or password.

  • The email says it comes from an official organization, but has poor grammar or spelling, or uses a personal email address like @gmail.com, @yahoo.com or @hotmail.com.

  • The link looks odd or not official. One tip is to hover your mouse cursor over the link until a pop-up shows you where that link really takes you. If the link in the email doesn’t match the pop-up destination, don’t click it. On mobile devices, holding down your finger on a link gets the same pop-up. An even safer step is to copy and then paste the URL from the email into your browser or type the correct link.

  • You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.

    If you believe an email or message is a phishing attack, simply delete it. Ultimately, common sense is your best defense.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

In This Issue

Overview
Phishing
Protecting Yourself

English
201512-OUCH-December-English.pdf
Albanian
OUCH-201512_al.pdf
Bahasa Indonesia
OUCH-201512_ba.pdf
Bulgarian
OUCH-201512_bg.pdf
Chinese, Simplified
OUCH-201512_cc.pdf
Chinese, Traditional
OUCH-201512_cn.pdf
German
OUCH-201512_de.pdf
Farsi
OUCH-201512_fa.pdf
Finnish
OUCH-201512_fn.pdf
French
OUCH-201512_fr.pdf
Hungarian
OUCH-201512_hu.pdf
Italian
OUCH-201512_it.pdf
Japanese
OUCH-201512_jp.pdf
Korean
OUCH-201512_kr.pdf
Latvian
OUCH-201512_lt.pdf
Lithuanian
OUCH-201512_lv.pdf
Malaysian
OUCH-201512_ma.pdf
Norwegian
OUCH-201512_no.pdf
Polish
OUCH-201512_po.pdf
Portuguese
OUCH-201512_pt.pdf
Romanian
OUCH-201512_ro.pdf
Russian
OUCH-201512_ru.pdf
Serbian
OUCH-201512_se.pdf
Spanish
OUCH-201512_sp.pdf
Turkish
OUCH-201512_tr.pdf
Urdu
OUCH-201512_ur.pdf
Guest Editor
Thumbnail

Dr. Lance Hayden

Expert in human security and the author of IT Security Metrics and People-Centric Security
Dr. Lance Hayden has spent 25 years working in information security, beginning his career as a human intelligence (HUMINT) officer with the Central Intelligence Agency. He has served as a trusted advisor to government, military, and enterprise clients across industries including finance and

Subscribe to OUCH!, our Monthly Security Awareness Newsletter

Get monthly content to keep you up to date on the latest Security Awareness News and Tips.

The SANS Institute provides training related to cybersecurity and the safe use of technology within your organization. To provide this training, the SANS Institute captures and processes personal data and as such has been identified as a “controller” of your information.

The information provided to SANS Institute for training purposes may include name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region. The SANS Institute may also collect data about devices and software used to access the training and training systems; this data includes browser version, operating system version, IP addresses, access times, connection duration, and other browser analytics. As training is delivered, the SANS Institute processes and stores data associated with training assignments, completion, and scores on any learning activity that is delivered. SANS may also utilize third party processors to provide these services.

If your information is provided by your employer, this information is used as part of the initial or ongoing training cycle. The purpose for collecting this data is to allow the SANS Institute and your employer to assign, deliver, record and report on your cybersecurity training. Your information and training records will be shared only with you and your employer.

At any time you have the right to receive a copy of the personal data you have provided to us in an electronically readable format.

A data protection regime is in place to oversee the effective and secure transmission, processing, storage, and eventual disposal of your personal data, and data related to your training. The SANS Institute will retain your data until you request that it be removed, after which it will be securely disposed of. The SANS Institute will never sell your personally identifiable data and will only share your personally identifiable data with SANS cyber security solutions partners when you provide agreement to do so.

When you consent to us using your information for the purposes of sending you information on SANS products or services you are providing us with your consent to send you materials detailing our products and services that we consider will be of interest to you, based on your use of the educational material that we provide as resources. We profile you this way to make the materials more relevant to you. We will only send you information on products from within the SANS services portfolio.

If, at any point, you believe your personal information to be incorrect, you may request to see a copy of your data, ask to have the errant data corrected, or ask that it be securely disposed of. If your information is provided by your employer, the SANS Institute will work directly with your employer to promptly address the matter. If you wish to raise a complaint or concern, or have questions relating to GDPR, please contact the Data Protection Officer via gdprprivacy@sans.org.

SANS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

You may, at any time, withdraw your consent; to do so, please contact gdprprivacy@sans.org.

The SANS Institute is a U.S. company founded in 1989 that specializes in information security and cybersecurity training. All information provided to SANS Institute will be transferred to and processed in the United States. The SANS Institute is committed to comply with the Privacy Shield Framework which has been found adequate by the European Commission to enable international data transfer under EU law. For more information, please see www.sans.org or contact gdprprivacy@sans.org.

SANS Security Awareness

301-654-SANS (7267)
Monday-Friday, 9am-8pm EST/EDT

Social

  • Facebook
  • Twitter
  • Linked In

Footer

  • Products
  • Why SANS
  • About
  • Reports
  • Case Studies
  • Resources

Footer utility

  • Support
  • SANS.org
  • Contact
  • VLE Help

Stay up-to-date on the latest security awareness news and tips. 

Subscribe to our monthly newsletter, OUCH!

Subscribe Now

Copyright Nav

  • ©2018 SANS™ Institute
  • Privacy Policy
  • Trademark Usage Policy
  • Credits