Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims. Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate phishing email than trying to break through a computer’s defenses.

Phishing and Social Networks represent major exposures that serious attackers regularly utilize to develop information and form the foundation for a future attack. Phishing has become so sophisticated that companies find it very difficult to reduce the attacker success rate below 10 percent, either with systems to automatically recognize initial attack-forays, and/or by having employees refrain from clicking a malicious link. Social Networks, e.g., LinkedIn, also pose risks as an attacker is able to notice who has what position in what company, and who is connected to whom – all very useful clues to assemble the initial stages of an intended attack. Even a person’s college or university is usable by an attacker to easily craft an email message that looks like it came from that school, and the receiver is likely to click on something of interest from a seemingly familiar source. Again, the proliferation of vendors that provide products and services in this area means that utilities will benefit from an independent analysis and communication of Best Practices that can save time and create a higher likelihood of making good solution choices going forward.

Protect Our Power is seeking an Educational Institution to develop information within this Topic for use by North American Electric Utilities. Contact Erick Ford at EFord@ProtectOurPower.org for more information or to recommend an Educational Institution.