Certainity
reliable.
trustworthy.
bespoke.
office@certainity.com


Phishing Awareness Campaign

Dear User,

The link you clicked on is part of a phishing campaign that CERTAINITY has conducted as part of a security assessment.

First of all, we would like to reassure you that anyone can find themselves unintentionally clicking on an unsafe link. It is important to know that this happens more often than you might think and is not directly caused by a lack of attention or caution. We live in a digital world where such dangers lurk, but together we can respond effectively and learn from them. Nevertheless, phishing should not be taken lightly. Successful phishing campaigns result in billions of dollars in losses for companies every year, so it is essential to know how to react in such a situation.

In the next steps, we will inform you about the best way to protect your data and avoid similar situations in the future.

Reporting

Of course, you may feel uncomfortable at first having clicked on a phishing link or even having entered your user data somewhere, and you may want to just ignore it and hope for the best. But that’s exactly what you should never do! It is important that you inform the person responsible for IT security in your company about it. Even if you have recognized a phishing email and haven’t clicked on anything, you can still help your colleagues by reporting it. They can be warned that malicious emails are in circulation or the IT department can prevent similar malicious emails from being delivered.

Please familiarize yourself with the internal processes in your company for reporting phishing emails and security incidents.

Password reset and 2FA

Many attackers target the access data for internal systems and users, so resetting passwords is a very effective measure to make the collected access data unusable. If the affected systems allow you to reset your password directly, you should do so immediately.

If the logins support a second factor such as an authenticator app (2FA) or even better a hardware key, this is also a very effective way to make access more difficult for attackers. While it is not impossible to phish 2FA access, it does increase the likelihood that a phishing attack will not be successful. A password reset should still be performed even 2FA if was already enabled.

How can I detect phishing?

High-quality phishing e-mails are extremely difficult to recognize. In general, the following can help:

  • Be skeptical of unexpected e-mails, especially if they request urgent action such as entering personal information or if they threaten you with consequences.
  • Pay attention to the salutation and language in the email. Especially when attackers pretend to be internal employees, you can get a good gut feeling for whether texts are too formal or contain too many mistakes. If you are unsure, you can also contact the colleagues and ask. However, no information from the email itself should be used. Find the corresponding phone number or email address in the internal address book.
  • Check the sender in the email header to see if it was sent from an unexpected email address. If only a name is displayed, you can (depending on the email program) see the full email address by hovering over it or right-clicking on the sender. Particular attention should be paid here to minor changes such as inconspicuous spelling mistakes (e.g. n for m or 1 for l), additional words (e.g. “app” or “info”) and changed domain extensions (e.g. .net instead of .com).
  • Don't click on links in emails or messages if you're not sure if they're legitimate. The link displayed may not be for the page that is accessed when you click on it. The real link can be displayed with a “mouse-over”. Be on the lookout for similar manipulations as described in the previous step. If you are unsure, access the website of the alleged sender directly via your browser by entering the original URL manually or accessing it via a bookmark. Never use the information from suspicious emails.
  • Watch not only for e-mails, but also for SMS messages with similar indicators.

The following video (GER, use subtitles) from the Bundesamts für Sicherheit in der Informationstechnik (BSI) illustrates these steps again: