How to stay one step ahead of phishing attacks

Protecting yourself against phishing attacks used to be relatively easy. Don’t download unexpected attachments. Visit banking websites directly instead of clicking on links in an email. And look for bad grammar.

Those days are gone. Today, a phishing attack can come from any direction via any channel.

Consider the case of “Anna,” an employee of a bank’s treasury department. She was expecting a baby and was in the process of decorating a nursery. She got an email from the producers of a design show who wanted to talk to her in person about her preparation for the baby, and the challenge of being a working woman. The interview went well … but not for her.

[ALSO: Don’t click on these links]

“We were actually able to go in and conduct the interview, and get access to her computer system, and compromise the treasury accounts,” says J.J. Thompson. “And we got her to click on the link we wanted her to click on, which we used to download a payload to her computer,” he adds.

Luckily for Anna and her bank, this was a test, rather than a real attack. But the reason it worked is that Rook Consulting, the IT security consulting firm that Thompson heads, did its homework. First, they got a list of the employees at the company. These lists are available from list brokers, or from LinkedIn.

Next, they ran them through search engines and social networking sites. “Anna,” for example, discussed her baby preparations on Facebook and on Houzz, a decorating-themed social site. Finally, they contacted “Anna” by posing as Houzz. Since she already knew and trusted that company, she was ready to listen.

[ALSO: 12 of the worst data breaches of 2013]

The lessons here? If it’s too good to be true, it probably is. And, like the old Cold War saying goes, “trust but verify.”

“If something seems like it happened out of the blue, and it’s something you would like, you should find a way to check the authenticity of that person,” says Thompson. “Look up Houzz’ number – don’t trust the number they provided to you.”

Another easy channel into a company is to make a job offer the target can’t refuse. “The exact great job, sent to the exact right person, from someone who seems legitimate and communicates frequently — and they have a link to malware that compromises the system,” says Thompson.