Phishing Awareness

As National Cybersecurity Awareness Month in October approaches, we continue to raise awareness about cybersecurity threats and best practices. Phishing remains a common email technique used by cyber-criminals to deceive individuals into disclosing sensitive information, clicking links, or opening attachments. These malicious emails can also be used to steal user login credentials or deliver malware, such as ransomware and trojans. Cyber-criminals constantly change their tactics and techniques, often exploiting current news and events in their lures. The NJCCIC continues to receive phishing emails with dominant themes of corporate and consumer credentials attempting to be delivered to NJ State employees. Recent phishing cases reported to the NJCCIC have themes of payroll changes and employment scams.

Security awareness training is one of the ways to ensure users are aware of cybersecurity risks and threats, understand their responsibilities, keep their organization’s digital infrastructure and data safe, and reduce their likelihood of victimization. It is recommended to conduct phishing tests periodically at regular intervals and use interactive or video training and simulation measures to ensure users retain their ability to correctly identify phishing emails. In addition, the National Institute of Standards and Technology (NIST) developed a new method called the Phish Scale to help organizations better understand their training program, especially their click-rate data.

The email image above could be a security awareness training notification received in a user's inbox. At first glance, this anti-phishing training email appears to be a legitimate notification; however, there is a twist here. This email is part of a real—not simulated—phishing campaign that attempted to be delivered to NJ State employees, consistent with open source reporting. This phishing campaign sends emails claiming to be a training notification from a legitimate cybersecurity awareness company with a link that, if clicked, directs the user to a phishing site to steal credentials and other information. Upon closer examination, the common characteristics of phishing emails can be identified. The email contains an “External” tag purporting to be sent from the internal “Information Security Office.” It includes a generic greeting of “Good morning” instead of a personalized greeting to the recipient. There is a sense of urgency for the user to act quickly as training expires within the next 24hrs, another common phishing tactic. Additionally, the training link points to an external site instead of the internal employee portal. Typosquatting is also used in this campaign, in which a registered domain name (knowb.e4[.]com or knowbe.4[.]com) is similar to a legitimate entity’s domain name (knowbe4[.]com) in order to fool users into believing they are visiting a legitimate, known website.

This example shows just how difficult it can be to identify whether an email is truly a legitimate email, a phishing email as part of a simulation for training purposes, or a phishing email as part of a real phishing campaign. The key takeaway here is understanding the difference between the three types: one means you are “safe,” one allows you to “try again,” and one is “game over.”

The NJCCIC recommends users exercise caution with emails from unknown senders and avoid divulging sensitive information, clicking links, or opening attachments in response to these emails. Additionally, users are advised not to enable macros in files, even those received from known senders, without first verifying the legitimacy of the document. If an email instructs a recipient to access their account, the user is advised to avoid clicking on any links provided and, instead, manually type the URL for the account into the address bar of their browser. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication – such as by telephone – before taking any action. We encourage educating yourself and others on these continuing threats and tactics to reduce victimization.