Phishing is a type of social engineering where an attacker sends a fake message designed to trick a person into revealing sensitive information to the attacker or attempts to deploy malicious software on the victim’s infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror websites, allowing the attacker to observe everything while the victim is navigating the site, and transverse any security boundaries with the victim.
Types of Phishing
- Spear — Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing emails. These emails can deliver shortened links which may lead to downloads containing malware. The risk of these links is impossible to distinguish due to there being no standard URL.
- Whaling — Whaling refers to spear phishing attacks directed specifically at senior executives and other high-profile targets.
- Voice — Attackers may call directly or utilize applications to dial a large quantity of telephone numbers and play recordings which impersonate organizations to make false claims of fraud on the victim’s accounts.
- Text — Similar to email phishing, except attackers use cell phone text messages to deliver the "bait."
- Page Hijacking — Attackers compromise legitimate web pages in order to redirect users to a malicious website.
Avoid Being A Victim
- Do not reveal personal or financial information in an email, do not respond to email solicitations for information, and do not follow links in these emails.
- Before sending or entering sensitive info online, check the security of the website. Make sure you see https:// in the address. The “s” stands for secure.
- Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may vary in spelling or a different domain.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly, not information provided in an email.
- Keep all software on internet-connected devices up to date to reduce the risk of infection from malware.
- Use multi-factor authentication with as many apps, accounts, and social platforms as you can.
What if You Are A Victim?
- If the attack happens on you work computer, report it to the appropriate people in your organization, including network administrators. They can be alert for any suspicious or unusual activity.
- If the attack happens on your personal computer, consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Center.
- Watch for any unauthorized charges to your account. If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s).
Our commitment to digital and IT transformation is shaped by daily dedication to customer service and the close collaboration of our workforce, managers, and leaders. Ready to join us in improving Veterans’ care? Check out all current information and technology career opportunities on DigitalVA. You can also contact VA’s Office of the Chief Human Capital Officer at 512-326-6600, Monday thru Friday, 7 a.m. to 5 p.m. CST or by submitting a resume to VACareers@va.gov.