It’s imperative that individuals and businesses are extra cyber-vigilant during the holiday season. The reason? It’s a busy time of the year, so people are: 1) less likely to pay attention to details like correct email/text/link sender addresses 2) believe they are expecting a package, and 3) click on links (or answers calls) from “postal carriers,” or “their bank.”
In a single day, Adaptive’s fearless leader, Brett Gallant, received 5 texts (followed by the same number of calls) from “Amazon” claiming packages were delayed due to unpaid shipping charges or a Visa transaction issue. The texts went on to say that it was “urgent” for him to contact them to avoid failed deliveries.
Of course, he didn’t fall for the bait, but he can understand why many people do. Bearing that in mind, let’s talk about…
How to Identify, Avoid, and Prevent Phishing Scams During the Holiday Season
According to excerpts from an article by Digital Guardian, they wrote, “Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.
COMMON TYPES OF PHISHING ATTACKS AGAINST BUSINESSES
Company Impersonation
One of the most common forms of phishing is where attackers impersonate your brand. This is typically done with an email connected to a domain very similar to the target company (e.g., “first.name@amazon-support”). It’s also a difficult attack for companies to look out for due to the fact that you won’t know until someone falls for it or alerts you.
Spear phishing
This type of scheme involves using a fake company name (impersonation) but also key details about the target. Muck like in sales, a rep finds the name, position, and other personalization and includes that in a pitch email. Attackers find those same tokens and use it to compel more victims into their trap. It’s an especially dangerous ploy.
Email Account Takeover
All members of your executive and management team are vulnerable. If a phishing scammer acquires the email credentials of high-profile leadership, it’s likely they’ll target anyone they can using that very email address. Potential targets would be: colleagues, team members and even customers (if they’ve already obtained this information via hack).
Phishing Emails
Similar to the email account takeover scam, this phishing attack is done via email. The difference is the phishing scammer uses an email address that resembles a legitimate email address, person or company. The email will include a request to click a link, change a password, send a payment, respond with sensitive information, or open a file attachment.
Phone Phishing or Voice Phishing
Using Voice over Internet Protocol (VoIP) technology, scammers, again, impersonate companies. This technique also employs the other types of phishing including using personal details about targets and impersonating individuals of the company (e.g., the CEO) in order to get a higher take on the overall scam.
To help businesses better understand how they can work to avoid falling victim to phishing attacks, they asked a number of security experts to share their views of the most common ways that companies are subjected to phishing attacks and how businesses can prevent them. Let’s check ‘um out…
NOT having the right tools in place and failing to train employees
According to Tiffany Trucker of Chelsea Technologies, she said, “The one mistake companies make that leaves them vulnerable to phishing attacks is…
Not having the right tools in place and failing to train employees on their role in information security.
Employees possess credentials and overall knowledge that is critical to the success of a breach of the company’s security. One of the ways in which an intruder obtains this protected information is via phishing. The purpose of phishing is to collect sensitive information with the intention of using that information to gain access to otherwise protected data, networks, etc. A phisher’s success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.
There are various phishing techniques used by attackers:
- Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
- Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department
Here are a few steps a company can take to protect itself against phishing:
- Educate your employees and conduct training sessions with mock phishing scenarios.
- Deploy a SPAM filter that detects viruses, blank senders, etc.
- Keep all systems current with the latest security patches and updates.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes but isn’t limited to password expiration and complexity.
- Deploy a web filter to block malicious websites.
- Encrypt all sensitive company information.
- Convert HTML email into text only email messages or disable HTML email messages.
- Require encryption for employees that are telecommuting.
There are multiple steps a company can take to protect against phishing. They must keep a pulse on the current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Informed employees and properly secured systems are key when protecting your company from phishing attacks.
Careless internet browsing
Arthur Zilberman, the CEO of LaptopMD said, “Companies fall prey to phishing attacks because of careless and naive internet browsing. Instituting a policy that prevents certain sites from being accessed greatly reduces a business’ chance of having their security compromised.
It’s also important to educate your employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation. Inform them to be wary of e-mails with attachments from people they don’t know. Let them know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are fraudulent, as are sites that begin with IP addresses.”
Failing to Implement a Multi-Layers Security Plan
Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions, said, “Defending against these attacks requires a coordinated and layered approach to security.
- Train employees to recognize phishing attacks to avoid clicking on malicious links. For example, if the domain of the link to which you are being directed doesn’t match the purported company domain, then the link is a fake.
- Many spam filters can be enabled to recognize and prevent emails from suspicious sources from ever reaching the inbox of employees.
- Two factor authentication should be deployed to prevent hackers who have compromised a user’s credentials from ever gaining access.
- Browser add-ons and extensions can be enabled on browsers that prevent users from clicking on malicious links.
Phishing is a method used to compromise the computers of and steal sensitive information from individuals by pretending to be an email from or the website of a trusted organization. For example, a person receives an email that appears to be from the recipient’s bank requesting that the recipient verify certain information on a web form that mimics the bank’s website. When captured by the hackers, the data allows them access to the recipient’s banking information.
Alternatively, the web-link may contain malicious code to compromise the target’s computer. One of the things that makes phishing attacks tricky is that they can be distributed by compromising the email address books of compromised computers. So the email may appear to have been sent by a known and trusted source.
A subset and highly effective form of phishing attack is a spear-phishing attack in which a hacker will research an intended target and include details in an email that makes the email seem more credible. The details may, for example, reference a corporate social event from the previous month that was published on a public website. It can be exceedingly difficult to protect against these kinds of attacks as demonstrated by the notable and extremely costly breaches of sensitive information by Target, Home Depot, and Baylor Regional Medical Center.”
NOT Securing BYOD or Educating End Users
Dave Jevans, Marble Security‘s CEO, Chairman, and CTO, said, “A new threat vector that has been introduced by the BYOD trend is that apps on employees’ mobile devices can access their address books and export them to sites on the Internet, exposing the contacts to attackers who use them for targeted spear phishing. One important step for businesses to take is preventing prospective attackers from accessing the corporate directory, which includes names, email addresses and other personal employee information. Installing mobile security software on user devices that scans apps and prevents users from accessing the corporate networks if they have privacy leaking apps is recommended.
Another step is to protect mobile users from visiting phishing sites, even when they are on a Wi-Fi network that the company does not control. These protections must be done at the network level because email filtering is not sufficient. Phishing and spear phishing attacks can be delivered through corporate email, through a user’s personal email that may be connected to their mobile device or through SMS messages to the user. Mobile users should be connected over Virtual Private Networks (VPNs) to services that provide secure Domain Name System (DNS) and blacklisting to prevent access to phishing sites.
Also, it turns out that the users themselves are often the best channel through which to detect, report and defend against phishing attacks. An important practice enterprises should implement is to put in systems where users can quickly and easily report a phishing attack, have it routed to IT, have it filtered and have it put in a system so that IT can quickly and easily add it to blacklists that will protect both internal employees and those that are remote or on mobile devices.”
NO Incoming Spam Filtering or Outgoing Web Filtering Software
Greg Scott of the Infrasupport Corporation said, “In a company with, say, 1000 employees, that’s 1000 possible attack vectors. The IT department can set up inbound spam filtering and outbound web filtering. They can run security drills, education campaigns, and spend enormous amounts of money to monitor traffic in detail. These are all helpful, but all it takes is one person, one time, to become careless and fall prey to an online con job – which should be the real name for a phishing attack.
So how to prevent them is the wrong question to ask. A better question is, how to limit the damage any successful phishing attack can cause. Here, a few low cost tactics will offer a high reward. In retail – isolate those POS terminals from the rest of the network. Sharing should be baked into security practices everywhere. This is counter-intuitive, but the best way to defend against attack is to share how all the defenses work. In detail. Openly discuss security measures, expose them to public and peer review, conduct public post-mortem incident reviews, publish the results, and adjust the methods where necessary.
Bad guys are already reviewing, discussing, and probing security in the shadows. Bad guys have a whole supply chain dedicated to improving their ability to plunder, complete with discussion forums and specialists in all sorts of dark endeavors. The bad guys have unlimited time and creativity and the good guys are out-gunned and out-manned. Against such an adversary, what CIO in their right mind would want to stand alone? Smart good guys should join forces out in the open for the common good.”
Phishing is probably one of the easiest and hardest things to stop
Security Analytics Team leader, Jared Schemanski of Nuspire Networks said, “This type of attack is predicated on sending out a bunch of random emails and thereby forcing people to click on a link that opens up a whole franchise to vulnerabilities. Then there is spear phishing which is highly personalized emails that go to a person higher up in an organization who has greater access than typical phishing email targets.
Tips on how to avoid phishing consist of non-technical safeguards since the user must click on an untrusted source that enters through an outward-facing environment. The best and sometimes only way to address this is to show employees how to read emails, thereby reducing the knee-jerk reaction.
Here are a few other tips to share with email users:
If the email comes directly from an acquaintance or source that you would typically trust, forward the message to that same person directly to ensure that they indeed were the correct sender. This means, do not simply just hit reply to the email with whatever information was requested in the email.
Similarly, when you receive an email from a trusted source and it seems phishy (pun intended), give that person a call directly and confirm that the email was from them.
You’ll be able to check to see what is or what is not legitimate by dragging your cursor over the email sender as well as any links in the email. If the links are malicious, they will likely not match up with the email or link description.
Businesses don’t keep up with the ever-evolving threat of phishing
Abhish Saha the Chief Product Officer at Linkly said, “Phishing has become far more sophisticated than a suspicious email tempting a random individual to click on a link or provide their personal details. Usually phishing focuses on targeting an individual.
Here are three key phishing techniques that compromise companies to obtain several individuals’ details:
- DNS-based phishing compromises your host files or domain names and directs your customers to a false webpage to enter their personal or payment details.
- Content-injection phishing is associated with criminal content, such as code or images, being added to your or your partners’ websites to capture personal information from your staff and customers such as login details. This type of phishing often targets individuals that use the same password across different websites.
- Man-in-the-middle phishing involves criminals placing themselves between your company’s website and your customer. This allows them to capture all the information your customer enters, such as personal information and credit card details.
4 ways that companies can defend against phishing attacks include:
- Use an SSL Certificate to secure all traffic to and from your website. This protects the information being sent between your web server and your customer’s browser from eavesdropping.
- Keep up to date to ensure you are protected at all times. You and your providers should install all the latest patches and updates to protect against vulnerabilities and security issues. This includes website hosting, shopping cart software, blogs and content management software.
- Provide regular security training to your staff so that they are aware of and can identify phishing scams, malware and social engineering threats.
- Use a Securely Hosted Payment Page. This is the best practice for reducing risk to your customers’ card data. Use a payment gateway provider that has up-to-date PCI DSS and ISO 27001 certifications from independent auditors. This ensures that your customers’ payment details are protected at all times.
Passwords and Mail Delivery Companies
Patrick Agari‘s a visionary leader and a pioneer in the email business, and now one of 13 Cisco Fellows, said, “If someone came up to you on the street and said they had a package for you, you would say no thank you and walk away. When people get emails that say, FedEx has a package for you, they think that because it’s on a computer screen they should click the link or open the attachment. A good rule of thumb is to take the same precautions you take online as you would in the real world.
Similarly, when it comes to passwords, if you happen to forget yours you can have it reset by answering personal questions. Those questions were once secure, but now many of the answers can be found on your social media accounts: birthdate, hometown, high school, etc. Think about what you share on social media in terms of being useful to cybercriminals.
Any company can take recent security breaches as more cautionary tales about the need for succinct security practices to protect company and consumer data. A very important aspect in email security is making sure your email provider uses technology like DMARC. It’s the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, Microsoft, and AOL all use it to stop phishing.”
Authoritarian hierarchy runs more risk of phishing attacks
Daniel DiGriz, a digital strategist and CEO of MadPipe, which helps companies solve human problems with processes and technology, said, “Companies with an authoritarian hierarchy run more risk for phishing attacks, because employees tend to be cooperative with schemes that sound authoritative. This is also true in some organizational cultures where it’s frowned upon to ask for help, there’s some degree of mutual distrust, or a less collaborative work model.
Asking for IT help might create a backlash, so someone clicks, and it only takes one vulnerable recipient to give a phishing expedition what it needs to succeed. The odds go up when there are pockets of personnel who lack a basic level of technical literacy. Announcements about phishing may only cover one or two examples of exploits, but phishing is endlessly adaptable. The two options for mitigating risk, which are not mutually exclusive, are cultural change in the organization and a mandated standard of technical literacy for all employees and contractors with access to organizational resources.”
A false sense of security that anti-virus is all they need
Greg Kelley, the CTO for Vestige, Ltd, a company that performs computer forensic services and data breach response for organizations, said, “Employees likely have a false sense of security that their anti-virus would catch any attachment if it is bad. Employees also do not look to see where the URL they are about to click on will send them, and when they get to the site, they do not review the address for validity or if their browser is reporting a properly authenticated SSL certificate.
Second, the bad guys are getting good at social engineering. They are doing their research on companies, reading blogs, news articles and other information to determine who works at a company, what their email address is, what their position is and with whom they might be communicating. The result is a well-crafted spear-phishing email catered to the recipient.
These attacks cannot be prevented but they can be mitigated. Companies should train their employees in regard to email use and detecting phishing attacks. This training should be done at onboarding for new employees and everyone should get a periodic refresher course. Companies should also review what information of theirs they make public and carefully consider what information should be made public and what should not.”
NOT Providing Continuous Cybersecurity Awareness Training
Nick Santora the chief executive officer for Curricula said, “We are reinforced on a daily basis to not talk to strangers, be careful with what we eat, save our money for retirement, say please and thank you, etc. How often are we reinforcing current cybersecurity threats and educating our staff on a routine basis? Until organizations take initiative to educate their people, we will continue to see alarmingly high engagement with phishing emails.”
NOT understanding that people are the biggest security risk
Jacob Ackerman, the Chief Technology Officer at SkyLink Data Centers, said, “I recommend that companies test their staff with fake phishing emails. Exercises like this will create a level of awareness and preparedness amongst the team.
People are the easiest way to gain access, especially given all the great technology tools like firewalls, etc. For example, something as simple as a sticky note posted on a computer monitor with a written down username and password reminder might be all a hacker needs to penetrate your network. A hacker could subtly angle their camera phone to grab a pic of it in the middle of a casual conversation with the associate at their desk.
Your IT people can’t protect you from maintenance uniforms! If you have third-party office cleaning, air conditioning, and other vendors walking through the office (especially after hours), any password information left available on desks is a risk.
Stop your staff from writing down passwords and storing them in a drawer or under their keyboard. Also, business owners or technology leaders that are in a first-floor building should regularly walk around the perimeter outdoors and inspect what can be seen through windows. You may be surprised what kinds of information staff have visible at their workspace.”
Not Understanding How Thorough and Determined Hackers Are
Mike Baker, Founder and Managing Partner at Mosaic451, said “Hackers examine the target company’s website and social media networks and learn about the company’s employees, their positions and responsibilities within the company, even their personal interests and hobbies – anything that they could use to make the phishing email look more genuine.
Phishing has become a great sport for cyber criminals because they offer a simple but highly effective cyber attack vector that takes advantage of the most vulnerable of prey – humans! One of the human vulnerabilities phishers exploit is employee desire to please bosses or authority figures. Employees should be encouraged to ask questions about any requests that seem “off,” even if the request appears to have come from a top executive.
Because phishers scour company websites and social media networks for personal information on executives and employees – and information about the company’s activities, such as new clients and new markets – businesses (or anyone) should be cautious about what they post publicly on the web. Likewise, organizations should educate their employees on the dangers of posting too much information on their personal sites. A hacker looking to launch a phishing attack may examine employees’ personal social media feeds as well.”
A lack of security policies
Aaron S. Birnbaum, the Chief Security Officer at Seron Security, said “The most popular goal of this can be achieved by persuading a user to download malicious software (malware) compromising the network the user is operating on. This can be done by disguising an email attachment with a common name (e.g. ‘spreadsheet.xlw’, or ‘file.pdf’), or by directing a user to click a link to visit what they think is a safe site.
A common example would be a notice from your bank that your account has been compromised and you need to click a link to reset your password. When you click the link in the email, you are directed to a website that looks very much like the real site, but is hosted at a different location. An example of this might be a request to update your password at 1inkedIn.com or Linked1n.com instead of the real website LinkedIn.com. Users that aren’t paying close attention can easily fall victim to these tricks.
If you get a request from someone that seems ‘strange’ pick up the phone and verify the request. Have a security policy for employees with specific examples of how to deal with possible situations. Look for typos, poor grammar, misspellings or bad links to images in emails and websites.”
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca