Have you ever gotten a suspicious email from someone you do not know asking for passwords or other sensitive data? Well that was probably a phishing attempt. Emails, social media, phone calls, SMS (texts), even snail mail can be mediums for this form of attack. It basically affects everyone nowadays, but the main target of these attackers has become small businesses. This is because they often have a weak network and high payoff for breaching their system.
As of the end of March 2016, 93% of all phishing emails contained ransomware, according to the report Malware Report – Q1 by PhishMe. This is a jump in 29% from February of the same year.
So, what is phishing and how does it work?
Phishing is an attempt at getting someone to hand over sensitive information online for malicious reasons. This can be done in a variety of ways and is almost always a dangerous thing for businesses. Although it can be very difficult to train certain employee behavior, this is the best defense against spam. Implementing proactive means of training your staff/coworkers is a terrific way to protect your organization. We can give you resources to check how good your organization is currently, then slowly train them with harmless tests that mimic phishing campaigns. This helps employees of the company with positive reinforcement of spotting and reporting threats and fix weak spots in your network!
Read our eBook to learn how to maintain a successful network!
What are the signs of a phishing campaign?
If it looks too good to be true, it probably is...
You will probably never get an email telling you that you won the lottery (that’s not how they deliver that awesome news…) and you should never get messages that your company needs your password to access something. Clicking these mysterious emails can lead to some serious repercussions. Even though getting some free airline tickets or a sweet cruise vacation would be great, this is pretty much never the real deal. Simply using common sense combats this one.
Bad grammar or misspelled words
Whether this is intentional to bypass certain spam filters or because the individual is less-than-educated (using google translate from their original message will usually create broken English), it can be easy to spot when it is a scam. Most professionals nowadays proof-read messages for errors. Someone trying to spew out as many phishing scams as they can will be slipping up and not have time to proof-read.
Odd URLs and shortened links
You can generally notice this right away by utilizing some tooltips that your computer provides. If you hover over a link with your mouse but do not click, a box should appear with where the link actually goes. In this example, the trusted site of lighthousesol.com is for some reason linking to google when it should not be.
This is called Pharming and it redirects users from legitimate sites to fraudulent ones. This tricks users into using giving their credentials to the fake site, while making it look like they are simply logging into the real site.
Weird sender and mismatched addresses
If you see an odd-looking email address, then chances are it is spam, but if you see an address from someone you know (but the message looks a bit off) that can also be spam. This makes things difficult because the phishing campaign is creating messages that appear to come from someone you actually know. To avoid being tricked by these, you should look at the sender’s address and find errors (such as company name or name of an employee being misspelled) and sometimes it is just a string of characters rather than being sent from an official source.
How can I avoid this?
Sender Policy Framework (SPF) protocol and DomainKeys Identified Mail (DKIM) protocol can help reduce spam by requiring email authentication to verify them. A web security gateway can also grant more layers of protection by preventing the mail from even reaching the targeted user. Letting your web browser or antivirus trigger a warning that can analyze and generally stop it before it starts.
Do your own typing. If someone sent you a link to follow that seems odd, simply use a search engine and find it yourself. If you have no luck finding it and it seems important, go ahead and call them or even go see them if you can. Business continuity allows for a backup for anything problem that actually succeeds in holding your information ransom. You still have your information backed up somewhere else that stays secure, you will always have something to fall back on.
Another huge style of this attack is spear or whale phishing, which is a campaign that is directed towards a specific individual. This can be simply someone who has a password they want, or the owner of the company to get even more sensitive information. CEOs, owners, and high up employees (board members or managers) are all very at risk of these types of scams, but many companies over-look just how much sensitive data the lower down employees have access to. The average staff member is a huge internal security risk, because people are so willing to share their passwords internally, read more about why that is such a bad idea here, it is easy for someone to give away someone else’s password or sensitive information (even by accident.)
So basically, never post personal data like passwords, IP addresses, or any of the common security risk stuff. Many people overlook simple things like birthdays, when people are taking vacations and even social media data, but these can be quite dangerous as they can be used to impersonate people and trick others into trusting the phishing campaigns.
We recommend applying for a free Network Risk Assessment