An attack called "phishing"! How to recognize it and how to effectively defend against it?

Administrators and administrators of information systems will never ask you for your login details or to verify them by clicking on an external or internal link sent to you via email. Any such email is "phishing" and is intended to compromise your computer or mobile device.

Phishing - is obtaining sensitive information or login details or clicking on a link. Attackers are very sophisticated (urgency - I need it fast, otherwise..., (most often) they send phishing on Fridays at 14-15 when working hours are over, etc.)

We will tell you how to recognize phishing and what to do if you become a "victim" of phishing in the following sections of this article:

  1. Do not respond to such mail, even if the email "looks" like it was received from an internal employee or contractor. Check the source. Alternatively, report the incident to the helpdesk.
  2. Phishing mail with a link to a website - the link may look "innocent" e.g. www.google.com <http://www.google.com/&gt; vs www.googIe.com <http://www.googie.com/&gt; (the second case is a scam - googie with a capital "I"), if the link has nothing to do there, it's suspicious, I don't click, I check with the other party or IT support. If you hover over the link and wait a second (but don't click), you'll see the full link where you'll be redirected. This way you can verify the link which is hidden under the text as the link name.
  3. Do not open attachments from untrusted sources. Requests and complaints have an official handling procedure and designated official contact addresses. 
  4. Do not insert or connect unfamiliar portable media (CDs, DVDs, USB sticks or disks) to your work computer. 
  5. A connection to a website is considered secure if it is made using a secure protocol (in your web browser, you will see a green or grey lock in the link address at the top of the link). You can force a secure protocol on a website by entering a web link where you enter https:// at the beginning of the link (for example, a banking connection).
  6. If a website requests personal data or other sensitive information from you, you must use a secure protocol with a verified certificate (green or grey lock in the link). The internet browser usually warns about an invalid website certificate. Do not underestimate this warning in any case. In the case of a so-called fake certificate, the information you send or enter can be easily captured and misused. Login data is sensitive data. 
  7. Do not use private computers to work with files that you then distribute in your work environment. These can be compromised by malicious code (under certain conditions, it is enough if someone opened an inappropriate link on a Facebook page on that computer before you, or if a child played a game on that page).  
  8. Do not send sensitive information or personal data by email in an unsecured form. Thus, in case you need to send such a file, secure it with a password first (e.g. any MS Word, Excel file can simply be secured with a password via the file properties - securing the file with a password).  Arrange the password with the other party via another secure channel - e.g. by phone, SMS or in person. In case of intensive, frequent or regular exchange of such information, the password can be agreed with the other party for a certain shorter period of time - depending on the sensitivity of the data. 
  9. For connections to the work environment, a VPN connection or other approved connection secured by encryption is used. In this case, the connection (for example, a professionally installed and configured VPN connection application or other professionally configured encrypted remote connection) is considered secure. Use only approved computers or mobile devices for such a connection. The device in this case becomes part of the working environment inside the Office network (a defined part of it). Use of public wi-fi networks (e.g. coffee shops, hotels, airports) to connect to the Internet or work environment is not considered secure. The exception is the use of the VPN tunnel mentioned above. The time for which the VPN connection is established must be minimised to the minimum necessary. Thus, a VPN or other encrypted connection to the Authority's internal network must be established only for the time necessary to carry out the necessary business tasks.
  10. Sending chain emails and participating in email chain discussions (forward this email...) serves attackers mainly to obtain "functional" email addresses, which will then be used as a target for the next attack (e.g., the above-mentioned phishing or as a recipient of spam). Responding to an unknown email with an arbitrary reply or opening a link serves the attacker to do the same.
  11. Login details are considered sensitive information.  It cannot be shared with other individuals or employees. The login name and password (or other authentication elements such as PIN, special USB tokens, one-time password generators or grid cards) for applications, information systems, databases, e-mails or other environments must be protected in an appropriate manner (e.g. passwords and PINs must not be written on paper, login information must not be shared with colleagues, etc.) In the event of any compromise, this must be reported as a security incident and the login information must be changed immediately. Sharing this information, e.g. with a colleague in order to "simplify" work, is considered a compromise. 
  12. Setting the display of emails to plain text. In this case, even when opening an email, your email client does not load images from remote servers - this way, for example, it does not "verify" the functionality of the mailbox for spam purposes, but it also increases security in this way. "Invisible images" - for example, even 1x1 pixel size (display point) can be a potential danger when retrieved from a remote server (for example, exploiting a bug in the email client in which the email is displayed).
  13. Regular deletion of internet browser history and internet cookies on all work devices, laptops, including tablets and mobile phones.
  14. Adherence to a proper password policy - changing passwords regularly, not repeating passwords within their history, password complexity, password variety for individual user accounts and devices. Avoid passwords containing basic sequences (abcd..1234...), the name of the institution you work for, your first names, last names, usernames, names of family members, pets, etc. Do not use the same passwords (even if they are considered "strong") to different information systems. If, for example, an e-shop is compromised, attackers will automatically try the obtained login credentials in other systems.