866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Identifying Phishing Attacks Blog Feature
KISHAN KUKKADAPU

By: KISHAN KUKKADAPU

Print/Save as PDF

Identifying Phishing Attacks

Cybersecurity Assessments | Privacy Assessments | Penetration Testing

Employees are one of the weakest links in any business’ security defenses, especially if there is a lack of awareness about criminal attacks that are designed to obtain sensitive information from organizations.

Phishing, a social engineering technique, is one type of attack that is intended to obtain sensitive personal and professional information such as bank account information, network credentials, etc.  Obtaining this confidential business information opens gates to further penetrate into the organization and perform malicious activities.  Phishing is carried out through email spoofing, instant / text messaging or telephone calls.  Victims are tricked into opening attachments or to click links in emails and from other types of communication that places the victim on a rogue web site or installs malware on the victim’s machines.  Phishing attacks can also be carried out over multiple communications, which can build trust and make it easier to steal information.  The rogue website often looks like legitimate ones, frequently clones of a legitimate site, and persuade the victim to reveal sensitive information.

Spear Phishing

Spear Phishing is a type of phishing that is targeted at specific employees, which may include high profile business people.  These emails are crafted to make an employee believe it comes from a colleague or external entity such as a vendor or business partner.  Since the email appears to be coming from a known entity, the employee places a level of trust on the email and is fooled into opening links or attachments in the emails or perform a task as directed in the email. In recent years, criminals made a shift from phishing to spear phishing, as this proved highly successful.  Criminals use professional and social media outlets, such as LinkedIn, Glassdoor, and Facebook, to gather information about a potential victim and create a sophisticated attack using this knowledge.  The objective of spear phishing can be a financial gain or long term access to an organization’s data and resources.  To cite a recent example, an employee at an investment firm in Michigan was tricked into sending $500,000 to a bank in Hong Kong after receiving a series of emails that are supposedly from a company executive.  Also, the recent tax season proved to be an active time for criminals to steal sensitive personal information.  An employee at a university was tricked via a spear phishing email that appeared to be from an administrator and requested to send employees’ W2 forms.  Believing the email was from a trustworthy source, the employee sent the information to the fraudster, thus losing personal information.

Defending Against Phishing Attacks

Recent reports indicate a rapid increase in spear phishing attacks targeted at small and medium businesses.  The phishing attack may target a specific person, but it is an organizational problem.  Businesses have to implement an enterprise wide strategy to reduce an organization’s exposure to fraud.  The strategy should include implementing solid internal controls, promoting employee awareness, and training and behavioral practices.  Organizations have to implement a security system that could effectively identify and filter malicious attacks.  Though implementing sound technical controls addresses one part of the problem, promoting proper awareness among the employees is highly important as the human vulnerabilities ever exist.  Organizations should implement an employee awareness program that includes the following:

  • Anti-fraud training to help employees identify suspicious emails, phone calls or any other activity, and report to management immediately
  • Periodic updates to all employees on threat trends
  • Implement policies and procedures to guide employees in handling confidential information and performing financial transactions
  • Annual security awareness trainings for all employees and access to all information security policies
  • Exercise behavioral practices such as not sharing company information on social media, not releasing confidential information unless approved by management, not reacting to email that has sense of urgency or high pressure, being proactive in reporting security events,

Additionally, organizations should consider deploying technical solutions to flag suspicious inbound communication and monitor outbound communication to suspicious domains. 

As deception fraud is likely to increase in frequency and sophistication, companies need to invest time and resources to maintain an effective security system and promote proper employee awareness.  As the threat trends show increase in spear phishing towards small and medium businesses, there is no excuse in implementing strong controls to defend against phishing attacks.

About KISHAN KUKKADAPU

Kishan is a Senior Associate with Schellman. Prior to joining Schellman, Kishan has 3 years of combined experience as an Associate IT project manager and an IT audit intern. Kishan has experience performing Sarbanes-Oxley compliance audits and IT advisory engagements. Kishan has a strong experience in managing various phases of IT projects especially focusing on the financial and operational aspects.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.