Avoid Getting Hooked This Phishing Season!
By Roger Murray | May 31st, 2016
Phishing season is in full swing, with a more sophisticated and increasingly deceptive hacking methodology that can hook even the savviest of us into providing confidential information. It’s why we found it fitting to round up a few examples of the most common and prevalent attacks we have faced this year. We also wanted to demonstrate ways to identify and avoid putting you or your company’s sensitive data at risk.
Although we’ve discussed phishing before; it is a topic that requires our attention as the campaigns continue to evolve and the implications for businesses and individuals become more profound.
Managing Sensitive Data:
An attack can start from someone within your organization unknowingly opening an attachment or link from what they believe to be a trusted source; including emails within the same organization, or a client they’ve frequently corresponded with. These links or attachments have embedded code which can not only infect your network with ransomware, but provide unauthorized access to someone from the outside. In fact, according to Verizon, an astonishing 67% of cyber espionage begin with a phishing email.
Take the recently publicized, not to mention successful, attack against the Milwaukee Bucks when an email impersonating the team president Peter Feigin was sent requesting W-2s. Naturally, an employee replied, attaching the 2015 tax records for all Bucks’ employees, including athletes. It provided salaries, social security numbers, and addresses for anyone on payroll that year. This sensitive information is now in the hands of phishers, who are capable of tampering with the financial health of victims, from an assistant to one of their most widely recognized NBA stars, Jabari Parker.
Tip: Never provide personal or financial data in an email, and do not respond to messages requesting this, especially if you are responsible for the safety/integrity of others’ information.
While you may take comfort in believing these attacks only occur at major organizations, think again. The IRS recently released an alert reporting an approximate 400 percent surge in phishing and malware incidents so far this year. These attacks effect individuals as well as SMBS and are normally directed toward Human Resource or Accounting professionals in what appears from the President, CEO, or high ranking executive within the organization.
When in Doubt, Trust Your Gut:
There are two typical approaches used in phishing scams; either using an email address similar to someone you may know, or, when a phisher has gained access to the network and is using someone’s email credentials to impersonate them outright.
It’s why, when opening any message, to practice caution and be aware of today’s phishing techniques. Take a recent scam targeting a PR agency.
A journalist received an email from a known contact who they had worked with in the past. However, being the sleuth she was, the journalist identified a few key inconsistencies between this message and others she had received in the past. For instance, the subject line was omitted, the message body was generic and requested she click on a link which appeared to be a Dropbox page, when in fact it was a harvesting page that captured email credentials.
Thanks to the journalist’s suspicions, she was able to prevent the phishing scam from spreading through her network. Unfortunately, the same could not be said for the sender who was already aware of two internal employees that fell for the scam, giving full access to the phishers.
Tip: Trust your gut. If the message appears odd, don’t open it. Contact your IT department and delete the message.
Identifying a Phishing Attack:
Below are a few different types of phishing scams and ways to protect yourself:
– Pharming: Is a scheme where hackers tamper with the company’s host files or domain so that web visitors are redirected to a fake site; often resulting in customers entering confidential information or making purchases on a site that is controlled by the phishers who capture the data. While shopping or entering your private information online, check that the URL of the site is authentic and look for the secure certificate.
– Executive Fraud: A style highlighted in this article where phishers use a similar email address of a decision maker to request data or payments from others within the company. This style of attack primarily directs itself toward human resources for data, or accounting to process a funds transfer. The easiest way to avoid it would be by confirming with the sender in person before processing any type of transfer request made via email.
– Deceptive Phishing: Emails portrayed as a recognized source requesting you to verify your account, re-enter information, or make a payment. This method is commonly used to collect details to access your bank account. These can be identified by generic greetings or a request for information that the source should already have on file.
– Google Docs / Dropbox Phishing: Also discussed in this article, is a tactic used through sending a realistic email with a secure click-through for recipients to download a shared document or enter their credentials. The objective with fraudulent Dropbox attacks is to install malware onto your computer. While the Google Docs style approach requests account credential verification on a site that appears authentic, the reality is that it is owned by the phisher who uses the information you enter to gain access to your Google account, Gmail, Google Play, and Android apps.
Tip: Remember to question emails requesting action, check that validity of links before clicking on them, never provide banking details or credentials via email, and finally, report suspicious emails to your IT department and notify the real sender.
Aside from today’s advanced phishing techniques, the most overlooked security risk to data and information breaches is the human factor. TSI offers proactive tools to combat phishing attacks by providing real-world phishing simulations to test your staff and identify areas for improvement. However the most important service we provide to prevent future phishing outbreaks is education. We complement our security tools by providing employee training to minimize the opportunities for a successful attack or breach. To learn more on how our simulation phishing security tests & educational trainings can benefit your organization, contact us today!