Phishing season is in full swing, with a more sophisticated and increasingly deceptive hacking methodology that can hook even the savviest of us into providing confidential information. It\u2019s why we found it fitting to round up a few examples of the most common and prevalent attacks we have faced this year. We also wanted to demonstrate ways to identify and avoid putting you or your company\u2019s sensitive data at risk.<\/p>\n
Although we\u2019ve discussed phishing<\/a> before; it is a topic that requires our attention as the campaigns continue to evolve and the implications for businesses and individuals become more profound.<\/p>\n Managing Sensitive Data:<\/strong><\/p>\n An attack can start from someone within your organization unknowingly opening an attachment or link from what they believe to be a trusted source; including emails within the same organization, or a client they\u2019ve frequently corresponded with.\u00a0 These links or attachments have embedded code which can not only infect your network with ransomware<\/a>, but provide unauthorized access to someone from the outside. \u00a0In fact, according to Verizon, an astonishing 67% of cyber espionage begin with a phishing email.<\/p>\n Take the recently publicized, not to mention successful,<\/em> attack against the Milwaukee Bucks<\/a> when\u00a0 an email impersonating the team president Peter Feigin was sent requesting W-2s. \u00a0Naturally, an employee replied, attaching the 2015 tax records for all Bucks\u2019 employees, including athletes. It provided salaries, social security numbers, and addresses for anyone on payroll that year. This sensitive information is now in the hands of phishers, who are capable of tampering with the financial health of victims, from an assistant to one of their most widely recognized NBA stars, Jabari Parker.<\/p>\n Tips from the Experts:<\/strong><\/p>\n Never provide\u00a0personal or financial data in an email, do not respond to messages requesting this, especially if you are responsible for the safety\/integrity of others\u2019 information.<\/em><\/strong><\/p>\n While you may take comfort in believing these attacks only occur at major organizations, think again.\u00a0 The IRS<\/a> recently released an alert reporting an approximate 400 percent surge in phishing and malware incidents so far this year.\u00a0 These attacks effect individuals<\/a> as well as SMBS and are normally directed toward Human Resource or Accounting professionals in what appears from the President, CEO, or high ranking executive within the organization.<\/p>\n There are two typical approaches used in phishing scams; either using an email address similar to someone you may know, or, when a phisher has gained access to the network and is using someone\u2019s email credentials to impersonate them outright.<\/p>\n It\u2019s why, when opening any message, to practice caution and be aware of today\u2019s phishing techniques.\u00a0 Take a recent scam targeting a PR agency<\/a>.<\/p>\n A journalist received an email from a known contact who they had worked with in the past. However, being the sleuth she was, the journalist identified a few key inconsistencies between this message and others she had received in the past.\u00a0 For instance, the subject line was omitted, the message body was generic and requested she click on a link which appeared to be a Dropbox page, when in fact it was a harvesting page that captured email credentials.<\/p>\n Thanks to the journalist\u2019s suspicions, she was able to prevent the phishing scam from spreading through her network.\u00a0 Unfortunately, the same could not be said for the sender who was already aware of two internal employees that fell for the scam, giving full access to the phishers.<\/p>\n Tips from the Experts:<\/strong><\/p>\n Trust your gut.\u00a0 If the message appears odd, don\u2019t open it.\u00a0 Contact your IT department and delete it.<\/em><\/p>\n Identifying a Phishing Attack:<\/strong><\/p>\n Below are a few different types of phishing scams and ways to protect yourself:<\/strong><\/em><\/p>\n – Pharming: Is a scheme where hackers tamper with the company\u2019s host files or domain so that web visitors are redirected to a fake site; often resulting in customers entering confidential information or making purchases on a site that is controlled by the phishers who capture the data. While shopping or entering your private information online, check that the URL of the site is authentic and look for the secure certificate.<\/p>\n – Executive Fraud: A style highlighted in this article where phishers use a similar email address of a decision maker to request data or payments from others within the company. This style of attack primarily directs itself toward human resources for data, or accounting to process a funds transfer.\u00a0 The easiest way to avoid it would be by confirming with the sender in person before processing any type of transfer request made via email.<\/p>\n – Deceptive Phishing: Emails portrayed as a recognized source requesting you to verify your account, re-enter information, or make a payment.\u00a0 This method is commonly used to collect details to access your bank account.\u00a0 These can be identified by generic greetings or a request for information that the source should already have on file.<\/p>\n – Google Docs \/ Dropbox Phishing: Also discussed in this article, is a tactic used through sending a realistic email with a secure click-through for recipients to download a shared document or enter their credentials. The objective with fraudulent Dropbox attacks is to install malware onto your computer.\u00a0 While the Google Docs style approach requests account credential verification on a site that appears authentic, the reality is that it is owned by the phisher<\/p>\n Tips from the Experts:<\/strong><\/span><\/p>\n Remember to question emails requesting action, check that validity of links before clicking on them, never provide banking details or credentials via email, and finally, report suspicious emails to your IT department and notify the real sender.<\/em><\/strong><\/p>\n Solutions:<\/strong><\/span><\/p>\n Aside from today\u2019s advanced phishing techniques, the most overlooked security risk to data and information breaches is the human factor.\u00a0 TSI offers proactive tools to combat phishing attacks by providing real-world phishing simulations to test your staff and identify areas for improvement.\u00a0 However the most important service we provide to prevent future phishing outbreaks is education. We complement our security tools by providing employee training to minimize the opportunities for a successful attack or breach.\u00a0 To learn more on how our simulation phishing security tests & educational trainings can benefit your organization, contact us<\/a> today!<\/p>\n If you found the information in this blog post helpful and you'd like to discuss your business' technology strategy, then we'd be happy to hear from you.<\/p>\n<\/div>\n\t<\/div>\n<\/div>\nWhen in Doubt, Trust Your Gut:<\/h5>\n
\n\t\tConfident with Your IT Strategy?<\/span>\n\t<\/h2>\n\t<\/div>\n<\/div>\n