Podcast version of this episode:
- 0:15 - What is phishing?
- 2:35 - What is spear-phishing?
- 3:30 - What should someone do to minimize the impact of phishing or spear-phishing?
- 4:43 - What are the best ways that people can protect themselves from phishing and spear-phishing just going forward?
Ken Lane - 0:07
Hello everyone once again. Welcome to another episode of Business Solutions Academy by JD Young Technologies. My name is Ken Lane, and in this episode, we're going to be learning about the impact of email phishing, as well as spear phishing, on your business or organization. So to do this will once again be speaking with Damon DoRemus. Damon is the Chief Information Officer at JD Young Technologies and heads up the Managed Network Services Division.
For those of you joining us in video form or via podcast episode, there's no need to take any notes, as usual, as we'll be publishing a full transcript of this conversation. Simply look in the description information of this episode for a link to the corresponding article in our very helpful Resource Center at jdyoung.com/resource-center. So Damon, thanks again, as always, for joining us.
Damon DoRemus - 0:56
Thanks for having me.
Ken Lane - 0:59
So Damon, unlike the delightful pastime of fishing with an F, there exists something immensely more ominous phishing with a "ph" at the beginning — "phishing." So what precisely is phishing with a "ph" and what are online fishers after.
Damon DoRemus - 1:20
So phishing is probably the most dangerous thing that we deal with right now for IT security professionals. And the reason it's the most dangerous is because it's so difficult to control. It's not something that we can solve with software. It's primarily based around user behavior.
There's some software things that we can do to fix it, but it's, again, primarily around user behavior. So a "phish" is a scenario where bad guys send a crafted email to you trying to get you to do something — typically trying to get you to give them your email address and password. It could be that they're trying to give you an email address and password to your actual email, or it could be they're trying to get you to give them your password or your bank account, or, you know, someplace else, right?
So the reason it's so dangerous is — again, we're all so busy, and it's difficult sometimes to tell real from the fake emails that come through. And so people occasionally will get phished when they give out their credentials to the bad guys.
Ken Lane - 2:35
So, in addition to phishing, regular phishing with a "ph," I know that there's a subcategory known as spearphishing. So how does spear phishing differ from non-spear phishing? If I have that correct?
Damon DoRemus - 2:49
Correct. So think of you know, phishing is just throwing a wide net, right? So, they might send the same email to 10,000 people. And, you know, of that, an X number of people are going to click on them, and they'll get credentials and be able to do bad stuff from there.
Spearfishing is where it's a targeted attack against an individual — typically an individual who has administrative rights or the ability to be able to do something effective with money, right? So spear-phishing will be a scenario where they're really targeting, say, a CFO or controller — someone that has the ability to be able to write checks or share information online.
Ken Lane - 3:30
Okay, so if someone suspects that they have been phished or spear phished, rather, what should they do next to minimize the damage of that phishing.
Damon DoRemus - 3:41
So obviously, first thing, change your password. And make sure that two-factor authentication is turned on anywhere you possibly can use it. Obviously, [on] your email. People commonly think that email does not necessarily need to be secure. They think, "Oh, it's just my email," but everything comes back to your email —password reset, online websites — they're almost all going to go back to your emails [as] a way to confirm or change your password.
So a common scenario is you get phished, and they give you a link that you think you're going to your webmail portion of your email, you enter in your email address and password, and bam, they gotcha. So now they can go back and sit and wait and see what other things come in via that email address. Right? So new passwords that come in, say, for your bank or some other login, you know, not just your Netflix account, but stuff that's really important. So they'll sit there, and they'll wait, and then they'll take advantage of it.
Ken Lane - 4:43
Goodness. So what are the best ways that people can protect themselves from either phishing or spear-phishing just going forward?
Damon DoRemus - 4:51
So I'm going to go back to the same thing of two-factor authentication — 2FA. It is the most important and easiest way to protect yourself from a phishing or spear-phishing attack, because if you do accidentally — instead of hovering over the link to make sure that it's going where you want it to go, or just going to the link directly, which would be a better decision to do — in case you mess up, and you accidentally get your password or input your password on a bad site, or "gosh, it just got compromised because of poor software programming," that two-factor authentication is going to come into play. And you're going to get a notification on your phone or whatever authenticator that you've chosen to use for your email setup, and you're going to get a notification that someone's trying to get into your account. Well, that would be a really quick clue, "I need to go change my password."
Ken Lane - 5:42
Yeah, I actually did receive a message from a co-worker who said, "I received an email it looked like it was from you. 'It said, sent from my iPhone.'" They hovered over the email address, and even though it had my name in it, it was not my email address. And they said that quickly stood out because, "Ken doesn't have an iPhone. Ken has been an Android user from day one," so that really threw up some red flags.
So again, Damon. As always, thank you for talking to us today that that was extremely highly informative. And for those of you tuning in, if you learn something new today, as I do with every single one of these episodes, feel free — and if you think others can benefit from the information, we always appreciate that you give it a thumbs up on YouTube, and hit that subscribe button, so you don't miss any other of these very helpful episodes, as well as sharing this with your friends on social media.
So if you'd like to learn more about cybersecurity threats, and many other business solutions-related topics, you're invited to check out our Resource Center at jdyoung.com/resource-center, or you can search for Business Solutions Academy by JD Young Technologies on your favorite podcast player.
So thanks for stopping by. And thanks again. As always, Damon.