Protecting Your Business Against a Phishing Attack
Last week, we published an article about Minimizing the Risk of a Data Breach and described some of the types of cyber-attack that have the potential to wreak havoc with your systems and confidential data.
Phishing is the predominant method used by fraudsters to obtain confidential information including usernames, passwords and credit card details, by disguising themselves as a trustworthy user or entity.
Such attacks are typically carried out by email spoofing or instant messaging, often directing users to enter personal information at a fake website that matches the look and feel of the legitimate site.
Very few organizations have the knowledge and expertise required to protect themselves against this type of cyber-crime. Recovering from a ‘successful’ phishing attack can cost a medium sized business more that a million dollars, so it’s absolutely vital for companies to understand how to identify a phishing scam and ensure their employees are made fully aware of the risks these attacks pose.
What is a Phishing?
Phishing is a type of scam whereby cyber-criminals masquerade as a trusted individual, organization or other respected entity. Their primary objective is to trick their target into disclosing confidential information such as login credentials, bank account or credit card details and personally identifiable information.
Hackers can then use this information to gain easy access to the target’s online accounts, often resulting in the loss of significant, sometime substantial, sums of money.
Even when a targeted company does not suffer financial loss, the hackers often cause severe disruption by stealing sensitive customer data which, if deemed an avoidable data breach, can lead to punitive fines and reputational damage.
Originally, phishing attacks were executed exclusively via email. However, more recently there has been a noticeable rise in the numbers of phishing scams conducted via phone calls and text messages. There has also been a dramatic rise in ‘spear phishing’.
According to Technopedia, there is a subtle difference between spear phishing and a regular phishing attempt. With spear phishing, an email appears to come from an organization that is closer to the target, such as a particular company. The hacker's goal is to gain access to trusted information. This can be as simple as looking up the name of a CEO from a corporate website and then sending what appears to be a message from the boss to email accounts on the corporate domain.
The prompts, or ‘calls-to-action’ contained in spear phishing emails are not easily identifiable. Typical examples are messages ostensibly from an employer, or the company’s bank, requesting an important document to be signed, or asking for account details to be updated respectively.
Phishing Emails Containing Ransomware
Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.
In November, 2016, PhishMe Inc., a leading provider of human phishing defense solutions, released a report revealing that the amount of phishing emails containing a form of ransomware had increased from 92 percent in Q1 of 2016, to a staggering 97 percent during the third quarter of that year.
Ransomware is most often spread by attachments in fraudulent emails. Once opened by the unsuspecting recipient, the attached files begin to download the ransomware directly on to the device, be it a computer, tablet or smartphone.
The risks associated with phishing attempts are extremely high. It is therefore vital that organizations understand how to identify a phishing scam.
Six Identifiers of a Phishing Scam
ERRORS IN SPELLING AND GRAMMAR
The most obvious way to tell if an email is legitimate, or a scam, is by carefully reading the text of the message, to spot any spelling mistakes or grammatical errors. If your bank were to send you an email requesting that you update your account details, it is most unlikely that the message would contain such errors.
LOGO, NAMES AND NUMBERS
Don’t be fooled by the appearance of an official logo, a genuine phone number or even the name of a real person who works for the sender’s company in the email. This is a common trick by scammers, to fool the recipient into believing the email is genuine.
EMAIL FROM A COLLEAGUE
If you receive an email purporting to be from a work colleague, sent out of hours, or that contains unusually poor spelling, be vigilant and check with the sender before clicking on any links in the email.
A common method that cyber criminals use in an attempt to coax their targets to give up their personal information or click on links that download a malicious file, is to make personal threats. One particularly unsavory email that scammers send states that they have recorded the recipient visiting pornography websites and threaten to send the video to everyone in the recipient’s contacts list, unless a bitcoin payment is made directly to them.
URGENT ACTION REQUIRED
Increasingly, hackers try to create a sense of urgency, in order to make the recipient unaware of more obvious indications that the email is part of a scam. A common way of achieving this is to suggest that one of the recipient’s online accounts has been compromised and needs to be reset. Often, a ‘reset’ link in the email leads to a fake version of the website, where the users new login credentials can be recorded, allowing the hacker free access to the target’s personal information.
This is where the target recipient receives an email from an unknown sender, containing a file attachment with a strange name. Similar to email messages that contains a link, the true destination URL can be revealed by hovering the mouse cursor over the URL.
TECH SUPPORT COLD CALL SCAMS
Tech support cold calls are when a scammer calls a potential victim claiming to be from a reputable security company. They lie and say they found malware on the victim’s computer.
The criminal pretends to offer a solution by getting the user to install a type of remote desktop software. This allows the attacker access to the computer in order to install real malware. In addition to attempting to install malware on the machine, these scammers will often ask for a fee to “fix” the issue.
How to help protect yourself against tech support call scams:
If a person calls claiming to work for a specific, well-known company, look up the phone number online and tell them you will call them back.
Never allow remote access to your computer.
How to Safeguard Against Phishing Attacks
In many cases it is pretty obvious when an email message is an attempt to trick the recipient into clicking on a link, or opening an attached file. Unfortunately however, some emails are expertly crafted by ‘better educated’ scammers, who can write eloquent, error-free messages, that may slip through the net when simply relying on the tell-tale signs described above.
Fortunately, there are ways to minimize risk, and protect against these phishing scams:
Most people know that installing up-to-date antivirus software is vital - not only for the protection of devices connected to the internet, but also to protect your business itself. Antivirus products from trusted vendors such as McAfee, Symantec/Norton, Trend and Kaspersky help to protect against all manner of threats. Some antivirus products even include anti-phishing protection, by instantly scanning email attachments to determine whether they are safe or not. Most of these software products also regularly scan your device to ensure that any phishing scams that the user failed to notice are dealt with appropriately.
Virtual Private Network (VPN)
Increasingly, users are opting for the use of a Virtual Private Network for maintaining secure connections whilst online. This is particularly important when using public WiFi connections to access confidential or sensitive information.
The use of public WiFi networks often present additional security threats and are best avoided, unless you have an effective VPN solution, such as NordVPN, ProtonVPV or Private Internet Access VPN, that encrypt your data whenever you are online.
Never log in to your bank account or access sensitive company information while on an unsecured network. Doing so not only puts you at risk from phishing attacks but also man-in-the-middle attacks and other malicious practices.
Using an email filter alone won’t guarantee that you don’t receive any malicious emails, but it certainly helps. Some email providers have more effective spam and junk mail filters, so it’s worth researching before choosing which email service you want to use.
If you have a particular concern about threats posed by phishing emails, you can easily disable all hyperlinks in your email software settings. Of course, the down-side to this action, is while it will prevent inbound emails from embedding potentially dangerous links, it will also prevent you receiving links in emails from legitimate senders.
Educate your staff
It is imperative that all employees who use computers and other connected devices are trained to spot suspect emails, particularly those which contain attachments and/or hyperlinks. Your IT department staff may recognize tell-tale signs of a phishing email, but if other employees are not so aware your entire network could be at risk.
Finally, if you suspect you may have been the target of a phishing scam, we suggest that you immediately take the following steps:
Change your passwords. Your computer, financial institutions, and any password-protected websites that you visit should be updated.
Run a Full System Scan for viruses on your computer.
Contact your bank to report that you may have been the victim of fraud.
Use your antivirus software to scan your computer. If you have not yet installed an antivirus software product, you might consider tools such as Norton Power Eraser. This software can help to detect more complex threats than some traditional antivirus programs.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.