ETS - Erb's Technology Solutions, Connecting People with Technology

Don’t Go Phishing

January 25, 2019

Don’t Go Phishing

January 25, 2019

Just like fishing, there are many ways to reel one in and attackers will try anything to get you to bite.

These people are very skilled at what they do and can create emails that look so much like the real thing that even the savviest staff member can easily be caught out at the end of a busy day. For that very reason, phishing scams are often deployed towards 5pm or last thing on a Friday when people just want to get home and take their eyes off the ball. Just like the fisherman sitting patiently at the riverside, hackers know that if they wait long enough, someone will bite sooner or later.

When most people think of cyber-attacks and data breaches, they think of a hooded hacker hammering away at the keyboard in a dark corner somewhere using complex commands to get past firewalls and steal passwords.

 

The reality is that imposter emails, or phishing emails, are the most common entry point for hackers. And unfortunately, the perpetrators of this simple scam don’t have to know a lick of code to pull it off.

Phishing emails play to our innate psychology. By impersonating a person or organization with a high level of authority—and urging immediate action—these emails are dangerously persuasive.

Given the success rate of phishing attacks, phishing emails will continue to be a growing problem for business and consumers alike. Here are just a few examples of phishing emails in use over the past year:

 

Attackers get creative when it comes to imitating trusted brands and authority figures, creating email addresses or adding titles to the associated email to make it look like it’s coming from someone it isn’t.

 

 

For example, if your boss’s email is tom@erbsconnect.com, you may receive an email from tom@erbsconect.com and not notice the difference if the bolded name next to it displays his/her first and last name. Double-check that the domain ending is legitimate or doesn’t have a subtle spelling error to confirm authenticity. Look for these same mistakes throughout the email as well.

Attackers also use this tactic to pressure you into making a decision in haste. If you receive a message from an authority figure, like your boss, asking you to do something quickly, err with caution. Your boss should not ask to you send credit card information or route money to another account via email. If you do receive a call-to-action such as this in your inbox, pick up the phone and call the person to ask if this is a legitimate request.

 

The below list are other common scams:

  • Account suspension/expiration. A scammer could pose as a software provider, sending something that says “Your account is about to expire. Click here to renew it.” They create a fake payment page intimidating a trusted site to steal your credit card information.
  • Fake order/invoice. You receive an email saying you missed a payment or that you were charged for something you didn’t purchase and attach an invoice for your review. You click on the PDF and you’re infected.
  • Fake refunds. These could be sent to your department email, saying something like “You were regrettably overcharged. Here’s your refund.” You click the attached refund statement or link and get infected with malware.
  • Fake resume/cover letter. HR departments should be especially mindful of this tricky phishing email. The attacker tries to poise as an applicant, sending a link or attachment to their prior job history that’s injected with dangerous code. 
  • Prizes. The email shares the exciting news that you won money or a gift. “Please fill out this form and we will mail you your prize!” The attacker gets your personal information and tries to use it to frame you or steal further info.
    • Friends requesting help. This is the classic email that appears to come from a friend, saying “I’m traveling out of country and can’t access my checking account here. Can you send me money and I’ll pay you back when I return?”
    • Tech support scam. The attacker mimics your tech support and emails you about a threat, saying “We think you have a virus” and asks you to take an action or grant them remote access to your computer to remove it.
  • Data request. A scammer can poise as your HR head and say “I need you to fill out this W-2 and send it back to me” or ask you to reconfirm your bank routing number, as they were having problems cutting your check.

 

There are ways to avoid falling prey to phishing attacks. Here are a few top tips:

Stay Informed. Education is everything, and that goes for you and your staff members. New scams are being developed every day, so it pays to sign up to regular updates and guides that will keep you in the loop. Cyber Security training for all IT users is also highly recommended so you can be confident that everyone knows what to look out for.

Always be suspicious. OK, so it’s a bit miserable going through life being cynical but there are some situations where it pays to expect the worst. If an email doesn’t look quite right, it probably isn’t. If you’re not sure, just hover over the link before clicking on it to see where it leads to. If you don’t recognize the website address or it’s full of funny looking symbols, avoid like the plague.

Get protection. Install anti-virus protection, SPAM filters, web filters and anti-phishing toolbars and make sure they’re always kept up to date. Failure to install
the latest patches and updates leaves organisations wide open to threats. Monitor the anti-virus status of all equipment, particularly mobile devices that are used outside of the working environment.

Think ahead. Develop a robust IT security policy that includes everything from Bring Your Own Device to password management and backups. Make sure all sensitive company information is encrypted and that all mobile devices – including those that belong to staff members – have to pass security protocols before they can access your network.

 

The best way to keep the phishermen away? Put your IT security in the hands of trusted professionals. Contact Us.