Password phishing attacks
It is estimated that approximately 65 to 70 percent of all email is SPAM or junk email. We feel that much of that are phishing attacks looking to trick users out of their account logon credentials for different types of accounts (Banking, Financial, etc.). The good news for everyone is that anti-spam vendors and services have made great progress is handling SPAM and other junk email so that we can have clean email in-boxes. But unfortunitly, we all get several SPAM emails every day, and a least a few of them each week are good phishing replicas of legitimate emails.
Good phishing emails will look legit and often are made to look like other emails from the person or company. The only thing that gives it away is the rogue link asking for confidential information.
The primary countermeasure to password phishing attacks is to have logons that can’t be given away. This means two-factor authentication (2FA), smartcards, biometrics and other out-of-the-band (e.g., phone call or SMS message) authentication methods. If you can enable something other than simple logon name/password combinations for your logons, and require only the stronger methods, then you’ve beat the password-phishing game.
If you’re stuck with simple logon name/password combinations for one or more systems, make sure you use accurate-as-can-be anti-phishing products or services, and decrease the risk through better end-user education. I also love browsers that highlight the true domain name of a host in a URL string. That way windowsupdate.microsoft.com.malware.com, for example, is more obvious.
Finally, it is good practice to make sure your users know that you will never ask them to provide user account information in an email.