Avoid getting hooked by phishing scamsOctober 05, 2016
Rarely a day goes by without our news and social media feeds informing us of yet another big security breach of yet another well known organization's information. We hear about the biggest breaches and hacking attacks, which can happen to anyone, including technology companies like Dropbox, and even NBA teams. What we don’t hear about are the thousands of attacks on small to medium businesses – the ones that don’t make the headlines.
A motley variety of cyber security threats, including DDOS attacks, hackers, ransomware, viruses, malware and data breaches, are almost an everyday presence. They lurk menacingly outside your network's walls and wait for the slightest opportunity to crack open so they can invade. Your company's network may be fully updated with the latest patches and equipped with the best firewall, anti-virus/anti-malware and spam blocking solutions available, but even the most heavily armed fortress can easily be conquered if a well-meaning but oblivious employee is unknowingly holding the back door open for the bad guys to get in. One of the most prevalent forms of cyber attack is known as phishing, and is specifically designed to exploit this human error factor.
What is Phishing?
Phishing scams attempt to get a target to provide their (or their organization's) confidential data – including login usernames, passwords, financial information, credit card numbers, personal info such as names, addresses, date of birth, etc... – by impersonating a legitimate company via email. Phishing emails often appear to be sent from a known and trusted company, and are designed to entice the target to click on a link, which may then lead to a malware infected website, or to a fake website asking the target to enter their login and password. Spoofed emails may also contain file attachments, which can contain malicious code.
Here's an example: a user receives an email which appears to be a purchase receipt from an online retailer like Amazon.com. The email looks and feels like an Amazon.com receipt, and the FROM line of the email may even look like it comes from Amazon.com – but is actually from Amaz0n.com (note the letter “o” was replaced with the number zero “0”). The user becomes alarmed since they did NOT place any order and immediately clicks a link within the email to check their account. The link leads to a website that looks and feels like Amazon.com but isn't – and the target is prompted to login to their account. Once that information is entered, it is delivered into the hands of the criminal who sent the email. The hapless target has been successfully phished and just gave away their Amazon.com account info.
A more targeted form of phishing known as “spear phishing” incorporates a bit of known information into an attack to make a fraudulent email appear legitimate. For example, a spear phishing could use the target's name instead of a generic greeting, since a personalized email would seem more genuine. Or, it could be as involved as the CEO phishing scam. With a little research on LinkedIn, criminals can obtain the names of the CEO and accounting personnel at an organization. They would then create a phishing message with a spoofed email address designed to fool accounting into thinking the email is coming from the CEO and containing urgent instructions to wire funds to a specific account number.
Phishing Scammers Take Advantage of User's Fear
With IT security making headlines in the news, virtually everyone is aware of the threat of hackers and viruses. Many online service providers have increased their security measures and will notify customers whenever they detect suspicious or unusual activity. Most of us have seen this type of email after mistyping a password or logging in to their account from a new device. The security notification will advise the user that an unusual login has been detected and direct them to review their sign-in activity, confirm it was legitimate, or reset their password.
Ironically, cybercriminals take advantage of these increased security measures and use them to exploit users – by sending fake phishing emails designed to look like a security notification. Users then click on a link thinking they are protecting their account, and inadvertently give up their information to scammers.
The Yahoo! Hack and Phishing
One of the biggest data breaches in recent news is that of the technology giant Yahoo! News sources report that hackers managed to obtain the information of at least 500 million Yahoo! users. The stolen information includes names, email addresses, telephone numbers, dates of birth, payment information, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords. Even though the breach occurred in 2014, it was not publicly disclosed by Yahoo! until September of 2016 and has the dubious distinction of being the largest known data breach in history (by far).
Since the Yahoo! breach was widely reported, scammers are sending out phishing notices advising users to change their passwords. As we already discussed above, if users are not careful, they click on the fake links believing that they are securing their accounts, when actually they are playing directly into the hands of the impostors.
Don't Become a Statistic
One may be surprised at how prevalent phishing attacks are and how many people they affect. Check out the numbers below:
- 91% of successful data hacks started with a spear phishing email
- 75 MILLION phishing emails are sent and 2,000 users fall victim every day
- 9 out of 10 phishing emails lead to a ransomware attack
As seen above, phishing attacks are running rampant and almost anyone can fall prey if they are not careful. Fortunately, there are ways to avoid it.
How to Avoid Getting Scammed
So here's the good news: with a little education and security awareness, users can learn how to spot phishing emails and avoid falling victim to fraud.
- Check the email salutation
Authentic emails from a company that you do business with will most likely be personalized with your name ("Dear John"). Since phishing scammers don't always have this info (they are trying to get it), fraudulent emails will have a more generic greeting ("Dear Customer"). However, as spear phishing attacks are on the rise, it would be prudent to check for other red flags as well.
- Check the URL
If you receive an email with a link, hover your cursor over the hyperlink to check the URL. The URL will appear at the bottom of the message window or in a pop-up bubble. If the URL shows anything other than what it expected, don't click on it. For example, when hovering over a link in an email claiming to be from Facebook, if the URL should end in facebook.com NOT facebook.login.com.
- Type the URL in yourself
Better yet, make a habit of NEVER clicking on links within an email and just type the URL directly into the browser itself (or use your bookmarks). This is the best way to ensure that the website you're visiting is what it says it is.
- Don't Open Attachments
If you receive an attachment that you were not expecting, be extra cautious. Verify its authenticity directly with the sender and never open any type of attachment from an unknown sender. While a file attachment like .exe is an obvious red flag, also be wary of document files such as .docx, .xlxs and .pdf, which can contain malicious macros.
- Turn Off AutoFill
As convenient as the autofill feature offered by your browser may be, it can potentially make it too easy to rush through and submit a form without thinking. The few extra seconds of typing saved may not be worth sacrificing some security.
- Take Advantage of your Email Provider's Built-In Security Features
Many email providers such as Office 365, Gmail, etc... are utilizing built-in security features to help protect their users. For example, Office 365 uses color coding to warn a user of suspicious emails. Do a little research and learn how these features work so you know what to expect when a malicious email is received.
- Use Two-Factor Authentication
In the event that you let your guard down and accidentally disclose your password to a hacker, two-factor authentication can ensure that they still cannot access your account and do any damage without also having your mobile device.
How AllSafe IT Can Help
While the tips above can help users identify fraudulent emails and avoid getting phished, keep in mind that cyber criminals are constantly evolving and developing new tricks to steal data. If in doubt, companies should lean on their IT professionals for guidance and security management. AllSafe IT is dedicated to protecting clients' sensitive data and will assist in any way we can, from providing comprehensive spam protection, firewall management and compliance management solutions, to simply reviewing questionable emails and giving a thumbs up/down on whether or not they can be trusted. Most importantly, AllSafe IT is dedicated to educating our clients on the latest security threats/risks and how to protect against them through informative articles as well as the Learning Center in our AllSafe App.