Cybercrime is big business, and phishing attacks are one of the main routes into an organisation. You might have heard of them but are not quite clear what they are and how they work, so here’s our simple definition:
A phishing scam happens when a cybercriminal pretends to be someone else to gain information. Commonly they do this by sending fake emails designed to look like they’re from a trusted source within your company, such as the CEO or head of accounts. The aim is to make the victim feel a sense of fear, curiosity or urgency so they quickly open a dodgy attachment or send important details like bank/credit card details, user names or passwords.
They rely on the fact that most staff are eager to please their superiors and won’t question them, so they freely give out sensitive information they would normally hang on to.
Cybercriminals are very skilled at what they do and can create emails that look so much like the real thing that even the savviest staff member can easily be caught out at the end of a busy day.
For that very reason, phishing scams are often deployed towards 5pm or last thing on a Friday when people just want to get home and take their eyes off the ball. And in a further chilling development, hackers have been accessing bosses’ email accounts, and waiting for them to go on trips abroad before striking.
With Spear phishing hackers know exactly who they’re looking for and will focus all their efforts on these unsuspecting victims. Because this isn’t a blanket approach the hackers have to be more creative and thoughtful in their hunt. It’s common for them to use carefully chosen phrases and tailor their language to suit each individual person or group. In a lot of cases spear phishing attacks are so convincing that they’re able to completely fool the target into parting with all sorts of information, blissfully unaware that they’ve been caught out.
Hackers play a long game
“What makes this scam both clever and worrying, is that the hackers play a long game,” said local IT security expert Wayne Stanley of Iron Dome. “Hackers get into the boss’s email account. In the past they would have done instant damage and immediately got out. But now they sit and read emails, and over a period of months look for ways to steal cash.” Sometimes that’s by intercepting bank account or card details shared on email. But the most cunning hackers wait till the boss is away on a foreign trip before striking.
“They send an email to staff asking for urgent access to a critical system, or for an urgent bank payment to be made,” Wayne Stanley said. “It looks like it’s come from the boss, but it’s actually from the hacker. They will drop in a few facts that the staff know are true, such as where the boss is holidaying and what the weather is like.”
Wayne added: “Many staff are completely fooled, so go ahead and set the payment up. It can be days before anyone knows there has been a security breach, and by then it’s usually too late to stop it.”
Some interesting stats!
- The average cost of a phishing attack for a mid-sized company is £1.22 million.
- Phishing attempts rose by 65% between 2017 and 2018. They’re not specific to any particular industry and businesses of all sizes have been attacked.
- 30% of phishing messages are opened by targeted users, with 12% of those users going on to click the links or attachments.
- Nearly 1.5 new phishing sites are created every month.
Wide Net Attack!
A recent Gmail phishing scam targeted nearly a billion users across the globe. It was fiendishly simple but tricked a lot of people. Here’s how it worked. Victims received a text message asking if they’d requested a new password for their Gmail accounts. Of course, the vast majority had not. Confused targets were then prompted to text back “STOP” to confirm the request had nothing to do with them. They were then sent another text urging them to send their 6-digit numerical access code to prevent their accounts being compromised. Of course, the opposite was really happening. Instead of protecting their Gmail accounts, they were giving the hackers the ability to reset their passwords. And so, access to all their emails. This type of phishing scam is known as a “wide net attack”. Trawlers cast wide nets to catch a huge amount of fish and seafood that won’t all be good enough to sell, and this method uses the same principle. You can’t expect 100% success, but plenty will fall for it. And in this case, even a relatively small catch can reap impressive rewards.
Iron Dome top tips:
Stay informed: Education is everything, and that goes for you and your staff members. New scams are being developed every day, so it pays to sign up to regular updates and guides that will keep you in the loop. Cyber Security training for all IT users is also highly recommended so you can be confident that everyone knows what to look out for.
Think ahead: Develop a robust IT security policy that includes everything from Bring Your Own Device to password management and backups. Make sure all sensitive company information is encrypted and that all mobile devices – including those that belong to staff members – have to pass security protocols before they can access your network.
Keep it private: Never share personal information over the internet unless you’re 100% certain you can trust who you’re talking to and you’re sure your data is encrypted. If a company ever asks you to impart sensitive information, check with them at source first by visiting their main website and calling the customer services team.
Be suspicious: OK, so it’s a bit miserable going through life being cynical but there are some situations where it pays to expect the worst. If an email doesn’t look quite right, it probably isn’t. If you’re not sure, just hover over the link before clicking on it to see where it leads to. If you don’t recognise the website address or it’s full of funny looking symbols, avoid like the plague. A lot of phishing emails start with “dear customer” so be particularly wary of any that don’t address you by name. And if there are lots of grammatical errors and language that sounds very old fashioned, it’s almost always going to be from a scammer.
Get protection: Install anti-virus protection, SPAM filters, web filters and anti-phishing toolbars and make sure they’re always kept up to date. Failure to install the latest patches and updates leaves organisations wide open to threats. Monitor the anti-virus status of all equipment, particularly mobile devices that are used outside of the working environment.
The best way to keep the phishermen away?
Put your IT security in the hands of trusted professionals. You’re already working hard, so you could probably do without the hassle of having to keep your entire computer system ship shape and safe from cyber attackers. Working in partnership with reputable IT experts who can prove they’re worth their salt will help you sleep better at night and send the hackers further upstream to in search of a better catch.
Iron Dome have put together a series of security measures designed to help local businesses prevent this kind of fraud. They’re making details of the scam public, to try to help more owners and MDs be aware. To find out how Iron Dome can help your business stay safe from cyber-criminals visit www.irondome.co.uk or telephone: +44 (0) 203 358 0203
Since the inception of the internet and email, it seems there have always been phishing scams. They are a global threat to all businesses that utilize the internet for any reason. Within recent years, these scams have increased significantly, and they continue to victimize people around the world every day. You might be wondering, how does a phishing scam work?
A phishing scam involves sending a fraudulent link to an individual with the primary purpose of installing malware or deceptively retrieving sensitive information, such as passwords, banking information, or social security numbers.
Phishing costs businesses billions of dollars in losses. As a managed IT service provider, Iron Dome has the technical expertise to aid your business in the prevention and recovery from a phishing scam. We use the most powerful applications to keep your data safe. Phishing scams are very profitable. They have cost many businesses millions of dollars. According to a report released on July 12, 2018 by the Federal Bureau of Investigation, business email losses are in the billions. This is probably why the phishing scam is one of the most popular internet scams today because it’s a fast way for cybercriminals to obtain money.
How Can You Avoid Being a Phishing Victim?
Here are some of the steps you can take to avoid becoming a victim.
Don’t Download Files from Unknown Users
If you receive an email from an unknown user, don’t click on any links or download any files attached to that email. For some people, this may seem obvious, but thousands of people accidentally click or download infected files every year. Even if the link is from a known party, go to the company’s website instead of attempting to access it from the email. Sometimes cybercriminals will use emails and websites that are cloned versions of the actual business website. If you’re not paying close attention to what you are doing, you can be scammed. You also want to look at the website’s URL address. Hover over it to confirm that it’s the company’s domain name.
Don’t Trust the Display Name
Even if you receive a familiar email, be cautious. A common phishing tactic is spoofing the email’s display name. Unfortunately, some email providers will only display the sender’s name but not the email address. If the email address does not coincide with the name of the sending party, flag it. However, this is not a full-proof indicator that it’s a scam, for any email address can be spoofed.
Install and Maintain Security Software
All of your computers should have a security solution installed on them. It should include at minimum an anti-virus application, firewall, and email filter. The anti-virus application is responsible for preventing viruses, phishing attacks, spyware, rootkits, malware, trojans, and other cyber threats. Maintaining the software is equally important as installing it, for recent updates offer the highest level of protection. Therefore, when you receive security updates, you want to install them immediately.
Educate Your Employees and Bring Awareness
Often employees are not aware of how businesses are targeted. By simply keeping your employees aware of the latest security attacks, you can possibly avoid any future data or financial losses. According to Symantec’s 2018 Internet Security Threat Report, over 50% of email is spam. What’s even worst is that their data shows the average individual receives 16 malicious spam emails per month. With just 10 employees, this would equate to 160 emails per month.
Be Cautious of the Urgency
Be cautious of any email that you receive that expresses an urgency to do something. You may receive an email indicating that there is a problem with your bank account, and you need to log into your account to correct the problem. This is a common tactic used to quickly gain access to your personal information.
Identify Possible Threats
Verify the website’s security before sending sensitive information over the internet. Some ways of analyzing the safety of a website include the following:
- • Look for the “S” in https. This indicates that the site has an SSL certificate, which encrypts sensitive information. Without it, cybercriminals are exposed to the information that you enter
- • Look for contact information. Many website visitors feel uncomfortable doing business with a website that does not have a phone number or physical address. Ideally, most legitimate businesses will have visible contact information
- • Look for key indicators of possible malware. Some key indicators include suspicious pop-ups, ads with improper spelling or grammar, and search engine warnings.
The internet is an amazing tool and you can use it for many things. Like anything else in life, it comes with a dark side. When it comes to your business, be very cautious about releasing any information online. Only transact business on trusted websites that you know are legitimate.
Need Help Avoiding or Recovering from a Phishing Attack
Should your company become the victim of a cyberattack, Iron Dome specialises in disaster recovery, and we can help you recover any lost data.
Contact us today at 0203 358 0203 to learn more about our services and avoiding cyberattacks.
- Physical Security
There are ways to lock your laptop down from outside of the machine. First, be sure that your laptop bag is always on your person, or that you use a padlock to keep the zipper securely closed. Most work benches at the airport have legs that you can easily secure the carry strap to. Or you can utilize a cable lock to secure it to something like a chair fastened to the ground or a building pillar.
Second, always keep a Kensington lock in your bag, and break it out every single time that you use your laptop in a public area. These are inexpensive, and you can always ask your IT provider if they have any spares. Trust us, if you’re showing initiative to protect company assets, your company will listen.
If you are in a hotel, a good way to keep your belongings safe is to put the ‘Do Not Disturb’ sign on the door. If that is posted, then the only foot traffic that should be in your room is your own. If something turns up missing and you and the Hotel are the only people with keys to your room, then this helps narrow down the search for the thief.
- Software Security
We’re not talking about McAfee or Norton here, but something more along the lines of location software. Some examples of this may be Lojack for Laptops if you have a Windows machine, or Find My Mac if you are an Apple user. To help protect your information, these applications will setup passcodes that the thief will have to hack to bypass. Also, they can provide the location of your device if it’s missing or stolen.
- Backup Solution
If, in fact, your device does go missing, you know as well as we do that your work can’t be put on hold. It will continue to pile up – causing a mess of inconveniences – but the world doesn’t stop, even if your laptop is stolen. You need to be able to back up your most valuable data and recover it at a moment’s notice with a legitimate backup solution. And we’re not just talking about a file backup like Dropbox or Google Drive. A truly reliable backup solution allows for virtualizations of your laptop, so you can login to this virtual copy of your machine and it’s just like you’re sitting in front of it again.
- AdBlock Plus
While you surf the world wide web, there are certain things that track your information and compile it into a database. These “things” are better known as scripts. Scripts are invisible to the visitor’s eye, but their availability within the code of a website defines how the website behaves in response to certain click requests sent by the user.
Sometimes, scripts give you unwanted ads and annoying pop-ups while you are trying to navigate a web page. This is where an extension such as AdBlock Plus comes in handy. This extension blocks banner ads, pop-up ads, rollover ads, and more. It stops you from visiting known malware-hosting domains, can prevent data being sent to advertisers, and it can disable third-party tracking cookies and scripts. Essentially, ad blocker extensions like this one give you more control over your browsing experience.
- Privacy Badger
Privacy Badger keeps an eye out for suspicious third parties tracking you while you browse different websites, then jumps to your defense by blocking their tracking cookies. Cookies keep tabs on your browsing history and internet behavior, and if an advertiser is tracking your cookies, this extension will automatically block that advertiser from loading any more content in your browser. All in all, this little badger’s job is to blocks spying ads and invisible trackers – making it a good buddy to have by your side while you surf the internet.
- HTTPS Everywhere
Generally speaking, there are two types of web URLs – HTTP and HTTPS. The difference here is the ‘S’ at the end of HTTPS, which stands for ‘Secure’. However, many web pages do not route you to the secure versions of their webpages automatically.
The HTTPS Everywhere extension takes care of that by rewriting requests to direct you to HTTPS-secured sites. So, if your browsing takes you to unsecured areas of a website, HTTPS Everywhere will redirect you to the encrypted HTTPS site and keep your sensitive data from leaking and third parties from snooping.
Hook up to a network that you know.
Free Wi-Fi is tempting, but be sure that you consider who is providing the connection. Public connections at the local coffee shop are usually unsecured and leave your machine open to outsiders. While these networks provide a convenience, there are risks to be aware of.
Bank and shop with caution.
Shopping from familiar websites is a good place to start. Stick with the reputable sites that are tried and true – like Amazon or eBay. Also, when checking out and finalizing the purchase, look for the ‘padlock’ symbol or the abbreviation ‘https’ in the address bar at the top of your browser. This will ensure that you are on a secure, encrypted part of this webpage. Keeping an eye on your bank statements for suspicious activity is always a good idea, among these other best practices for shopping online.
Use secure passwords.
Passwords for logging into any website should containa mix of letters, numbers, and special characters – as well as be different for each website that you log into. It can definitely be a pain to remember all of these passwords, but ask yourself which is more of a pain – remembering these, or recovering stolen personal information.
Lock your computer.
When you walk away from your machine, lock it. In Windows, it is as easy as pressing the Windows key + L. On an Apple Mac, pressing “Control+Shift+Eject” will do the trick (unless you do not have an optical drive, then you can hit the “Power” key instead of “Eject”). This practice would be the equivalent to deadbolting the front door of your home. It acts as a deterrent to the bad guys as well as a line of defense. It may even be worth setting up a password lock on your Appleor Windowsmachine as well.
Do not click on anything unfamiliar.
If an offer is too good to be true, it probably is. If you get an email from an unknown source, do not clickany of the links within it – and immediately report it to your IT department. If a window pops up while browsing a website, immediately close it. Familiarity is always your friend. Using your judgment and trusting your gut is the ultimate defense when online. Always play it safe!