“I get a ton of scam emails. But instead of deleting them, I decided to hit reply.” – James Veitch
Phishing scams have been growing in popularity over the past decade. According to the data, phishing attempts have grown more than 60% in the last year, and currently account for more than 90% of data breaches and information leaks.
With billions in revenue and reputation at risk even six months after a breach, on top of any losses incurred during the actual event, which could be, on average $1 million, cyber crime in general, and phishing in particular, should be of paramount concern to all business owners. And in particular to those who deal with sensitive information or processing payments.
Why Is Phishing Such A Problem?
Phishing is a particularly insidious type of hacking, as it relies mainly on social engineering in order to trick users into believing s site, links, or messages are legitimate concerns. This makes human error in your IT department, or across your network, the biggest threat to the security of your company. Your security team plays a big role in prevention and defense, but they shouldn’t operate from an island, as this case study shows. All employees should be aware of the tell-tale signs of potentially dangerous emails.
Phishing emails look like innocuous emails from secure sources, and they get more sophisticated by the year. There are ways to spot phishing sites, and preventative measures you can take to avoid the social engineering tactics that hackers use. These are the most common types of phishing emails, and how to avoid them.
1. “Update” Requests
A common tactic is when a seemingly legitimate service you regularly use, such as Google Hangouts or Skype, will send you a link to an updated version of the program. This is to bypass the security measures of automatic updates. It’s good practice to set up a two-step authentification for links and installed updates of any kind on your server. Using an internal office messaging system, rather than something cloud based like Google also makes it more difficult to hack your messages with phishing links.
2. Docusign
Many companies use the electronic signature program Docusign. Even if your own company doesn’t use docusign for digital signatures, chances are you have suppliers, clients, or partners who do. To spot a fake Docusign email, check the sender. If it’s not one you recognize, you should delete it without opening. If you receive what looks like a legitimate Docusign email, look for the unique security code at the bottom of the email to verify its authenticity. If you receive a false Docusign email, email the real sight immediately to report.
3. Mobile Attacks
Android is the second most popular target for phishing schemes after Windows. Mobile networks are less secure than corporate emails and your company network. As remote work becomes more common, these less secured networks have become a bigger security risk for companies both large and small.
With inboxes becoming more successful at blocking out spam and malware before it reaches you, bigger threats will arrive through SMS text messages or other messaging services. It is good practice to secure your mobile networks with a VPN, making them more difficult to detect, especially where open Wifi connections are concerned.
4. Credential Theft
The Docusign phishing attacks we mentioned previously are usually an example of credential theft, where a hacker sends out a deceptive email masquerading as a legitimate site, and asks for authentification, such as asking to reconfirm passwords or sign in to update your profile.
Common targets are Paypal and Amazon accounts. Often, they come with urgent subject lines, but they are getting more sophisticated. Not only can these attack your personal and company networks, they can also risk your business, as customers who have been hacked with emails from your own website may be reluctant to interact with an email or newsletter from you.
Regular cyber security training of your employees and keeping customers and clients up-to-date on any hackers that may be masquerading as your website or affiliate can help protect you and your business.
5. Ransomware
Another malicious attack that is commonly spread through email phishing is a ransomware attack. These are attacks in which malware, downloaded through what looks like a legitimate email source will hijack an essential part of your system until you pay them a ransom.
The best way to protect yourself from ransomware attacks is cyber security knowledge. If you see familiar-looking emails that use urgent subject lines, asking you to update or change information, or messages that are not sent over a secure office email, you should use reasonable caution.
Your IT team and a penetration testing firm can help protect you from the worst of ransomware attacks, and remove a threat once it’s been detected.
6. AI-Based Phishing Scams
Today, spam and phishing scams are so common, that even your web-based emails can spot the most obvious markers. But AI-based phishing scams are getting smarter all the time. The same algorithms that Google or Amazon use to tailor your search results are being used in targeted spear-phishing scams, which can then track your data, or skim credit card and other sensitive information to compromise your finances or identity.
Common variations include tax scams, bill notices, or other financial threats from supposedly well-respected sources. Protect yourself by checking the URL of any link in your email, and creating two-step verification for sensitive information, such as financial information.
7. A Fake Message From A Boss or a Supervisor
Hackers attempt to instil a sense of urgency in an email, and will often masquerade as a CEO or supervisor in the company. Sometimes, the message will be a demand to transfer from an account, or change names or passwords. Other times, these types of messages may ask you about a social media post, with a link to malware that will infect your network or company website.
This is another situation where an inter office messaging system, and basic cyber security training can avoid bigger problems later on. To protect yourself and your company, use company emails and email protocols, so everyone will notice if a message is false.
It is unlikely that hacking will slow down in the near future. Email phishing in particular has gotten more inventive over the years. But there are good reasons to hope for a more secure digital future for yourself, and your company. Your main concern should always be around human error, and regular training against the latest phishing scams will help you spot weaknesses in your organization.
As more and more companies transition to the cloud, keeping your networks secure becomes important not only for the individual, but for corporations both large and small. Transitional periods will offer particular challenges to the future of cyber security, but a good IT and regular pen-testing can make a world of difference to the well-trained, digitally-savvy team.
About the author:
Alex Thornhill writes on business matters for EfficientIP that keep your company safe, healthy and thriving.