Chances are, you’ve heard the word “Phishing” during your time on the internet. If you didn’t know, this seemingly innocent word is actually describing criminal attempts to gain someone’s private username and passwords. In fact, it is one of the most popular choices in cybercrime today. After all, it’s far easier to simply login to your sensitive accounts to steal your information once they’ve “phished” you, than it is to spend that time trying to hack into your computer.
What should you be looking out for?
This is the classic, old-school style phishing. People will impersonate a real company, usually one that you’ll know, and request that you log in. Typically, this is expressed with urgency in attempt to make you forget to check its authenticity, and immediately fall for their ruse. For example, the email you receive may seem to be from your email provider, requesting that you login to ensure that your account isn’t deleted. Once you click the link provided in the email, it immediately sends you to a fake copy of a login page, where you enter your email username and password. Once you’ve done that, they then have complete control over your account.
This is similar to your standard phishing, but with a little twist. This is a personal, targeted attack. They achieve this by looking over any personal profiles you may have online, whether it be on a job website where you work, or your Facebook page, or any social media you have attached to you, your name, or your email address. Let’s say for example that you have mentioned that you’re a huge fan of motorsports on your page. That increases the chances of an email showing up in your account with some sort of reward attached, like a contest you have to sign up for in order to win free tickets to the Grand Prix! Much like the previous, more basic version of Phishing, this idea of a reward is enough to make people let down their guard, and enter their information for a chance at something they want for free.
This one you may not be so familiar with. Rather than going for people in general, this specifically targets upper level management in companies in order to gain complete control over their accounts. Once they have access, this usually leads to what is referred to as, “The Man-in-the-Middle Attack.” That is where an email from the compromised account is sent to someone in the same business with authority to transfer money to a “new supplier.” You guessed it: that “new supplier” is the criminal themselves! This attack sets up forwarding rules to ensure that the people that this affects don’t actually communicate with each other, as that will guarantee that their fraud will be shut down. Successful “Whaling” is known to steal thousands of dollars from companies, and in some cases, be devastating to both the business, and the employees there as well.
What can you do about it?
Get proactive! Make sure that you have a defense set up so you don’t have to worry about what might or might not be a scammer trying to get into your account. You can to go specialist companies like Mailguard (www.mailguard.com.au) who can protect your account and your privacy extremely well, including fast-breaking threats. In fact, your IT department can help you set up a service just like this in order to prevent attacks from even getting to your email!
You’ve already started this step by reading this article of course, but you can learn even more! Education is the strongest and most valuable weapon at your disposal to safeguard against these threats. Constant, and in-depth training helps you, and helps your team identify threats that may arrive in your inbox. Knowing how phishing works, how the fraudulent emails are constructed, and the common tactics that these criminals use, will make sure you can stop them before they even get started.
Two-Factor Authentication (2FA):
Enabling 2FA on all of your Software as a Service (SaaS) applications is a major step in preventing unauthorized access. Most online services have this as an option due to the heavy amount of cybercrime on the internet. This can be done via SMS, however, it is not widely regarded as a highly secure method anymore. Google Authenticator or Authy are two popular phone apps that provide one time codes that can be used to login to your account. This will be sent to you, and only you, making it harder for hackers and phishers to get into your account, and is highly recommended.
Let’s do a little show of hands: How many of us use the same password for all our accounts? The amount of hands that we would metaphorically see in this situation would be…a lot. Criminals rely on the fact that most of us are, frankly, too lazy to remember multiple passwords, and that we’ll reuse them for most accounts. If they know the password to your Facebook or email, they know that you might use the same, or similar password in order to get into your bank account. Look into Password Managers, like LastPass (www.lastpass.com). These sites provide simple ways of improving your online security by generating unique and complex passwords for individual sites.
How to Spot a Phishing Attempt:
It’s important to spot the suspicious email before you become a victim of phishing. Here are some common tell-tale signs that the email you’ve received isn’t legitimate:
- Check the email address, not just the display name. Tricks like using similar characters like “rn” instead of “m” are hard to spot when you’re not paying attention.
- Is the email forceful and urgent? In order to encourage action, phishing emails will usually request you to login to your account and resolve a pending deletion or account suspension that requires immediate action.
- Does the email have a strange, unexpected attachment? It could even be from someone you know, but keep in mind that just a simple word document can contain malicious software that will infect your computer.
- Did you notice while you read the email that the grammar is a little… “off”? Many attacks are sent from overseas with people who used a translator, or simply learned English as a second language, so the message supposedly from Microsoft might be stilted, with grammatical errors and strange sentence structures.
- Check the links! Just like the aforementioned email addresses, does the link say it’s one thing, but when you mouse over it, does it say that its true destination is different? Hover over the link to let it tell you where it’s going to actually send you.
DWM has developed a security stack to protect businesses against these kinds of threats. We care about security, and we’ll do our best to make sure that you, your team, and your business, are shielded from these attacks. Contact us today to see how we can help you.