It's one of the oldest and most effective attacks out there. It gets hackers into your network, spoofs your identity and data, and takes control of your computer or phone. It's been used by criminals to steal millions from people around the world while gaining access to sensitive data and sensitive business information. In this blog post, I'll give you a few tips on how to protect yourself from phishing scams and explain why it's a threat to your business.
Phishing is a type of cyberattack in which a targeted person or business is contacted by email, phone, or text by a person that is posing as a legitimate institution to lure the target into providing sensitive data. From payment information to logins and passwords, phishers will use social engineering techniques to trick their targets into divulging information that can be used against them.
The most common type of attack, with email phishing attackers, will send emails to users impersonating or spoofing a known sender. Using social engineering techniques, the phisher will create a sense of urgency and try to lead the user to click a link, download a virus, or divulge sensitive information.
Most organizations now use hypertext transfer protocol secure (HTTPS) to increase security and establish legitimacy. Attackers will often Shorten the URL or hide links in the text to avoid the user from seeing the original, long-tail format of the web address.
A tactic commonly used in Business Email Compromise (BEC), phishers will start by using open source intelligence (OSINT) to gather information from publicly available sources like social media or a company's website. With that information, the scammer will target specific individuals within a company using the information they sourced online to impersonate a trusted source and coerce the targeting party to take whatever action the scammer wants.
Similar to spear phishing, whaling or CEO fraud leverages OSINT to skim social media and corporate websites for information on the company's CEO or another senior leadership member. The phisher will then impersonate that person to disguise themselves as a trusted source and send internal emails to the impersonated individual's subordinates in an effort to leverage the power dynamic and use social engineering to get the targeted user to take action, usually sending money.
Vishing is when a cyberattacker calls a phone number and creates a heightened sense of urgency to force the receiver into taking action against their best interest. Often time scammers will choose to make these calls around stereotypically stressful times, for example, fraudulent Internal Revenue Service (IRS) phone calls during tax season.
Smishing is using SMS messaging and trying to get targeted individuals to take action via text messaging. These messages can include links to malicious websites or even fraudulent apps.
Angler phishing is when a scammer uses direct messaging features on social media platforms to coerce a targeted individual to take action. The messages often contain links to malicious websites or ask invasive questions to try to get the target to divulge information.
Scammers will hijack a Domain Name Server (DNS) and when a user types in a web address, the DNS server will redirect them to a malicious website's IP address instead of the intended path.
Even with pop-up blockers, pop-up phishing is still something to be aware of. Scammers have now taken advantage of the "notifications" feature of web browsers that aren't stopped by pop-up blockers. "Allowing" pop-ups on malicious websites can install viruses or other unwanted software.
Clone phishing leverages services that the target uses regularly to trigger an adverse action. Cybercriminals learn about business applications and software that requires users to click links as part of their daily activities. Scammers will research which of those applications the targets use regularly and send emails that appear to come from these services.
An evil twin or man-in-the-middle (MitM) phishing attack uses a fake Wifi hotspot that a scammer creates to look like a legitimate hotspot. The scammer can use the fake hotspot to intercept any sensitive data like login credentials or personal info that was sent when connected to the hotspot.
Scammers will research what websites a particular company's employees visit often, then infect that website's IP address with malicious downloads.
If it's too good to be true, it's too good to be true: Did you recently win the lottery, have a family inheritance of millions of dollars you've never heard of, or win an all-expenses-paid trip to a tropical island of your choosing? Of course not. These "offers" are designed to grab your attention and motivate you to act fast, without any forethought, to eventually gain access to sensitive information in exchange for the "prize" that doesn't actually exist.
A sense of urgency: Phishers will often be overly assertive and push you to act quickly. The deal is only for a limited time, this is an emergency, you must act fast to take advantage of this loophole, and the list goes on. There will always be an excuse for why they are wanting you to act now, but the truth is they just want your personal information and that is a tactic that works best for them.
Attachments: Attachments can contain payloads like ransomware, malware, and other viruses, all to trick you to download them and activate features to steal your personal information. Always be skeptical of attachments especially if you weren't expecting the email. Pay attention to the file name, file size, and the file extension to make sure everything is what it's supposed to be.
Hyperlinks: You can hover over any hyperlink to see where the link is taking you when clicked. It can be a completely different website than what it may seem or be a site you frequently visit, but the URL has a slight misspelling. Be wary of any email that looks off and always check before clicking, just to be safe.
Always check the sender's address: scammers are often able to disguise the display name of their email address. The email may say it's from "Susan Flowers", but in reality, it is a fraudulent email from a scammer. Always check the sender's full address to verify that the email is real and from the actual person listed as the sender.
Phishing techniques are evolving just as our technology is. Here are some things you can do to prevent phishing attacks on you and your business:
Spam filters: Spam filters are a great way to prevent fraudulent emails from ever hitting your inbox. These filters will assess the software used to send the message, where the message came from, the appearance of the message, and many other factors to determine if it's legitimate or not. Sometimes the filter gets it wrong and blocks an email that should have been sent through, but it's always better to do a little too much than not enough when it comes to cybersecurity.
Check your browser's settings: Most internet browsers have settings in place that give you a warning before entering a website that the browser determines might not be secure. Make sure that your browser of choice has these settings, and verify they are functioning properly.
Change passwords often: Something easy that can be done to prevent all types of security breaches is to have good password habits. Change your passwords regularly and don't use the same password for different logins. A password manager like RememBear can make it easier to remember your passwords and even generate new ones.
Check your sources: If you're in doubt about an email, you can always reach out to the source to verify that the message is legitimate. Make sure you are using contact information that you find and verify yourself, and not information provided in the message in question, as that information could be fraudulent as well. Double-checking is a good habit to adopt as you are being vigilant in preventing cyberattacks and strengthening your relationship with the party you're reaching out to.
Invest in Managed-IT services: A Managed-IT service provider like CDS can remove the stress of cybersecurity for your business, and put a stop to any attacks before they happen. Schedule a free IT consultation to go over your current IT infrastructure and if it's appropriate for today's ever-evolving cyberthreats, click below.
Beyond copiers and printers, CDS offers a full suite of technology solutions ranging from Managed Print Services, to Managed IT Services, and Project-Based IT Services, providing our customers a Single Source for all their business technology needs.Read More