If it Seems Fishy, it Probably is Phishy

img blog If it Seems Fishy it Probably is Phishy r2

Recently a client reached out to us asking how he should respond to a comment that was posted on one of his blogs. To protect the client’s privacy, we have changed the name of the blog and removed the links that were corrupt. Other than that, this is exactly what the commenter wrote…

“Subject: Your Blog Requires Correction!

I found your blog: ‘Understanding Your Businesses Financial Statements’ & I must say you have provided detailed information about the most effective ways for reading & understanding the company’s financial statements.

While reading the article, I noticed it links to the source: ‘5 Types of Financial Ratios for Analyzing Stocks’. It only provides the basic theoretical information about financial ratios where users will not get any practical knowledge.

To offer something practical, I have created a useful guide: A compilation of key financial ratios with calculators that contains an explanation of 20+ financial ratios with calculators where users will get more satisfied by experiencing a practical approach for measuring the financial ratios with real-time calculators.

This guide is created with a problem-solving approach. I think adding this guide to your article will be more beneficial to your users.

Waiting for your response.

P.S. I would be happy to share your blog with our social followers. – Jessica@[CompanyName]”

The article that the commenter was referring to was one of many buried deep on the 7th page of his website’s extensive blog posts. No legitimate, professional person in the world has the time or inclination to read through every blog and provide a “useful” guide of their own. 

Additionally, there was no link within our client’s original blog to a source called, 5 Types of Financial Ratios for Analyzing Stocks. In fact, our client doesn’t work in the stock industry. Besides, how would a stranger know what would be “more beneficial to his users?” And, why would a stranger push him for a response? 

The whole thing was fishy… but enticing, right? The comments are seemingly friendly, helpful, and thoughtful.  

But to the trained eye, this was clearly a phishing attempt. And, a very clever one at that. 

Some people might be tempted to click the links, especially because the comment was signed and gave a company name. Of course, we weren’t tempted, but… we were curious. Who or what was the source of the social engineering attack attempt? Could it really be from the company listed in the email address? 

Next step… a visit to the commenter’s company website. 

Guess what… they don’t exist. 

Our sleuthing ended there. After all, we know what curiosity can do to a cat. 

Let’s take a step back and talk about the basics of phishing attempts…

According to an article by Imperva, they wrote, “Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. 

The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identity theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Phishing attack examples

The following illustrates a common phishing scam attempt:

  • A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
  • The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

  • The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
  • The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

Phishing techniques

Email phishing scams

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.

For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.

In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.

Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. For example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.

Spear phishing

Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure.

An attack might play out as follows:

  1. A perpetrator researches the names of employees within an organization’s marketing department and gains access to the latest project invoices.
  2. Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
  3. A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
  4. The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.

By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.

How to prevent phishing

Phishing attack protection requires steps to be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.

For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

  • Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
  • In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and they should not be allowed to reuse a password for multiple applications.
  • Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.” 

Top 10 Scams Targeting Small Businesses

According to a recent article by the Better Business Bureau, they wrote, “Scams can impact every business, regardless of location, size, or industry. But they are especially a problem for small businesses.  Local businesses and start-ups often don’t have the cyber security support or established accounting processes of larger companies. This can make them more vulnerable to scams.

Fortunately, knowledge is the best protection. If you own or work for a small business, be sure to stay informed about these common scams and report them if your business is targeted.

Common small business scams:

Business Email Compromise (“BEC”). Business email compromise fraud is an email phishing scam that typically targets people who pay bills in businesses, government and nonprofit organizations. It has resulted in more losses than any other type of fraud in the U.S., according to the Federal Bureau of Investigations.

In BEC fraud, the scammer poses as a vendor or other trusted source, who sends an email to an accountant or chief financial officer. The email asks them to wire money, buy gift cards or send personal information, often for a plausible reason. If money is sent, it goes into an account controlled by the con artist. Learn more about BEC scams here.

Phony invoices.  Businesses receive fake invoices demanding payment for products or services never ordered or received. The most common scams involve office supplies, website or domain hosting services, and directory listings. Often, if you look closely, you’ll see the fine print that identifies the bill as a solicitation. Generally, the amount is small enough to not initially raise a red flag. Read more about phony invoice scams.

Directory scams.  This scam has plagued businesses for decades. In it, con artists attempt to fool businesses into paying for a listing or ad space in a non-existent directory. In some cases, the directory will technically exist, but won’t actually be distributed to potential customers. Other times, the scammer might lie about being with a legitimate directory, such as the Yellow Pages. Either way, the business is billed hundreds of dollars for listing services they didn’t agree to or for ads that were never placed. Read more about directory scams.

Stolen identity. Scammers often pretend to be a legitimate company in order to trick consumers. Scammers set up fake websites and “hijack” your company name and address. They may also use brand hijacking – the blatant copying and misuse of company logos and website content – to impersonate a business and deceive unsuspecting visitors. In this con, the company doesn’t necessarily lose money. However, their reputation is tarnished when angry customers who were ripped off by scammers think the real company is responsible.

Charity pitches.  Most businesses are regularly asked to donate funds to charitable causes. While many requests are legitimate, every year small businesses become victims of fraudulent or deceptive charitable solicitation schemes. Research charities and see more giving tips at Give.org.

Emails and Texts. These phishing scams attempt to steal sensitive information about your business. These scams often appear to be legitimate emails or text messages. However, when you click on the link, you download a virus that captures personal information or loads a form that asks for bank account or credit card details. Be leery of unsolicited messages and don’t click on links. Instead, hover over the link with your cursor to see the real address. Also, be sure your computer has the proper firewall and computer protection software. Read more about phishing scams.

Office supply scams.  Businesses receive an unexpected telephone call from someone claiming to represent a reputable company with which the firm often does business.  Sometimes scammers will even call in advance to find out what brand of supplies or equipment the business uses. The scam caller will try to sell the business surplus merchandise at a reduced price, citing a cancellation or over-order by another purchaser. The merchandise doesn’t exist. Don’t be fooled.

Coupon books.  Small business operators are often approached to participate in coupon book promotions.  The business offers discounts or extras in the coupon books that are sold by promoters to consumers.  Problems occur if the promoters change the terms of the coupons, oversell the books, or distribute them outside the company’s normal business area. Make sure the coupon book is being promoted by someone you trust, and that the terms and conditions are clearly spelled out.

Vanity award scams.  A vanity award scheme capitalizes on a company’s excitement for an award that essentially holds no value. This con typically targets business owners through email campaigns. The scam email congratulates the owner on their selection for the award and invites them to click a link for further details on how to claim the prize. But of course, claiming the honor involves paying a several hundred dollar fee. Always research the organization offering the “award.” Read more about award scams.

Overpayment scams.  In this scam, the person you are doing business with sends you a check for more than the amount they owe you. Then, they instruct you to wire the balance back to them. Or, they send a check and tell you to deposit it, keep part of the amount for your own compensation, and then wire the rest back. The results are the same: the check eventually bounces, and you’re stuck, responsible for the full amount, including what you wired to the scammer.  Read more about fake check scams.

Tips to Avoid Small Business Scams

BBB offers these tips to help small businesses protect themselves:

  • Keep good records. Keep documentation of all orders and purchases. This will help you to detect bogus accounts and invoices.
  • Be extra careful with payment procedures. Establish payment authorization procedures, including a multi-person approval process for transactions above a certain dollar threshold.
  • Avoid some payment methods when possible. Wire transfers, pre-paid debit cards and gift cards are scammers’ preferred methods of payment. Always confirm that any request for payment with untraceable methods such as these are verified by an authorized source. Also, try to pay by a written, company That way, a paper trail has been created.
  • Double check vendors. Make sure that the business billing you is a business you’re familiar with and normally do business with. If not, question it. Get the name of the person you speak with, the company name, address, phone and website.
  • Be careful what information you share. Do not give out information about your business unless you know what the information will be used for. Never provide personal information or financial details to anyone you don’t know.
  • Protect your devices. Make sure you have proper computer protection software and a firewall. Don’t click on links inside unsolicited e-mails. They could spread malicious software or viruses.
  • Spread the word. If your employees know about the scam, they’ll be more likely to spot it. Tell your colleagues, too.

Phishing is Killing Businesses

In excerpts from an article by Graphus, they wrote, “The evidence is clear: phishing is a clear and present danger to organizations around the world and that danger is growing. All types of phishing threats have grown in the last 12 months, presenting businesses with even more challenges when it comes to protecting their assets from cybercrime. However, many business executives may not understand the danger that phishing really presents to their organizations and fail to see that old approaches to solving the problem aren’t getting the job done.  

The bottom line for businesses when looking at threats they may face is that phishing tops the risk charts, and it just keeps getting worse. A whopping 84% of businesses in a new study said that they were the victims of a successful phishing attack in 2021. That study went on to declare that there had been there has been a 15% increase in successful phishing attacks over the past 12 months, with the bulk of the attacks utilizing malicious links and attachments

That certainly tracks with other data about phishing with attachments.  Breaking the threat down further, while more than 50% of malicious attachments are from a variety of sources, the biggest takeaway is that an estimated 48% of malicious email attachments are something that most employees handle every day: Office files. Microsoft Office formats like Word, PowerPoint, and Excel account for 38% of phishing attacks, followed by archived files such as .zip and .jar, which account for about 37% of malicious transmissions.  

Treating the Symptoms Won’t Solve the Problem

However, just because organizations are drowning in a flood of phishing and facing more costly and dangerous threats from ransomware than ever before, that doesn’t mean that their leaders take the problem seriously or are making the right choices to solve it. They’re certainly not willing to spend money on it. Just over half of organizations (52%) allocate less than one-quarter of their security budget to dealing with phishing. 

What are they doing with the money? To prepare for phishing threats, 72% of businesses report that they’ve bought cyber insurance, which is growing less likely to cover ransomware damage, 64% say they’ve retained legal counsel and 55% say they’ve invested in forensic investigation. None of these measures will prevent phishing from impacting an organization, and they’re only somewhat helpful in cleaning up the mess in the wake of something like a ransomware attack

But executives aren’t really worried about that. Less than 25% of executives considered ransomware a top security priority. This is a great example of the fact that non-tech business leaders frequently fail to see the damage that cyberattacks can do and are generally unwilling to take sensible precautions against trouble, especially if it costs money. In a CNBC /Momentive Small Business Survey, a stunning 56% of the SMB owners surveyed said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and among those, 24% said they were “not concerned at all.” More than half (59%) of the executives surveyed were quite confident that even if they were hit with a cyberattack, they’d quickly resolve it. Only 37% were “not very confident” and only 11% were “not confident at all.”

Worrying statistics, to be sure. So, what’s the number one thing you and your employees can do to prevent phishing attacks? 

Use common sense. If it (an email or text message) seems fishy it probably is a phishing attempt. Don’t take the bait. If you don’t know the sender, or if their email address seems off, mark it as spam and delete the message. Also, make a regular practice of emptying your deleted emails, and clearing out your spam folder. 

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca