Does your email smell Phishy?
As usual, puns make the world go round. This brings us to an important topic and once that must start with some form of infographic backed by research. That's right, we are official now. With stats and stuff.
Before you go researching into plagiarism accusations or what have you, let us list our sources for this particular blog. First source: The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security, August 2015. And we also take some stuff from the report: "Human Factor in IT Security; How Employees are Making Businesses Vulnerable from Within", Kaspersky Lab and B2B International, June 2017. So what is phishing exactly? Is it the same as social engineering attacks? Well yes, to simplify it. Phishing is a form of social engineering attack, although not necessarily the only type. Phishing, just like it sounds, is a tactic employed by attackers who are trying to either steal your data or penetrate your security. Most commonly in the form of an email with an attachment or a link. In the hopes of convincing the recipient of this email to either open the attachment or click on the link. These links will look legitimate and redirect them to a website that may look familiar to the recipient. Recipient inputs their email and password to access the link. Now whoever gave them this fake link has gained the credentials to access the recipient's account and either hijack or manipulate the information or access to their advantage. So let's start the process in a way that is simple. From a social engineering perspective. What really is social engineering? It is as it says engineering of an environment that is designed to convince you it is a legitimate one. Say I want to gain access to your company's email account of particular staff. I would start doing research on social media such as Linkedin to determine the name of the person. I would go through the company's website to look at the full team of that company and maybe it would include the name and email of the IT head of your company. So I will register a domain that would seem really similar to your company's domain, say your company is abc.com and your IT department has an email of firstname.lastname@example.org. All I have to do is register abc.co and create an email email@example.com. And I would send you an email that looks awfully similar to an email that would be sent to you within your organization and ask you to change the password of your particular account for security. At one glance you would think this email to be from your IT department and you will key in your current credentials and change it to a new one. It will give you a successful message for your password change and you would think nothing of it.
So now whoever did this has full access to your account. Maybe even your email and is able to pull out every information from this email. Furthermore, they proceed to email your colleagues from your email address in an attempt to gather more credentials and information. So the process is repeated slowly throughout your organizations. Invoices, contracts, clients lists, leads and anything that you can think of have been gathered. These leads somehow make their way onto platforms that sell leads to companies and now you have a competition honing in on an account you have taken years to create. All of your prospects and projects can now be sold, the information you thought was secret is no longer secret. Your client who is getting a quote from you gets a quote from a competition that is cheaper. And you lose projects thinking your client lied about your company is the only company they had approached. Although it may seem that way, the leak came from within your organization.
Sounds like the stuff of spy novels and this is happening right now. Hundreds of thousands of accounts each minute of every hour are continually being compromised. Approximately 4-5 hours each year per employee are wasted as a direct result of phishing scams. Leading to a drastic reduction in employee productivity and to the organization itself. And as you can see from the first infographic the cost and impact is a lot. $400 per employee per year on average that we are aware of. Around $83,000 dollars per small to medium-sized businesses or enterprises. Money is constantly leaking at the seams and it is imperative to close up these leaks wherever it may be.
So what can you do? What is the solution to this problem? The most important thing is employee training.
Something as simple as the image on the right can easily attain information from staff. Your staff needs to be trained to identify such suspicious and malicious emails. All you need is to hire an expert to come down and go through some of these emails with the staff and share with them and train them to identify phishing emails. Training should always be a priority and the first thing done. And at the very least if there is an email that you would find suspicious, forward it to your IT department or service provider to validate the information for you. They could assist you in blocking emails from this sender in the future and reduce the chances of your staff falling for such scams online.
Apart from training, there is much software available in the market which is essentially spam blockers. There are those that go above that and are able to block not only phishing emails but also compromised email addresses. Of course, it is not a plaster solution and needs administration. You do not want to have important emails coming from your client sent to the spam folder or deleted without ever having the chance to read them.
And most importantly it is you, the decision-maker of your company. We have repeated this over and over again here in IT BLOCK to our clients, the threats have evolved. Your primary focus is to get clients and serve clients. You have projects to oversee and operations to manage. The more projects you close, the more clients you earn, these are all the result of your hard efforts. As for other organizations that can afford to purchase leads from agencies, that is what they will do. And if your information is compromised, you will start to realize how many of your leads are no longer closing as they normally do. This is when you have to cancel out the possibility of being a victim of a social engineering attack such as a phishing scam. There are still no laws in many countries that would give law enforcement the legal right to pursue such cases in full. In fact law enforcement these days are not even able to do anything about it since they are not trained in cybersecurity. Cybersecurity is a necessary investment, right now it is the last line of defence for your organization and should never be taken too lightly. So let's end this blog with some of the highlight phishing scams of 2018, shall we? source: https://www.globalsign.com/en-sg/blog/the-worst-phishing-attacks-of-2018/
Phishing Emails Disguised as General Data Protection Regulation Emails
Free World Cup Tickets Phishing Scam
The collective passion of all soccer fans urged hackers into making a quick buck. Phishing emails promising free World Cup tickets started circulating in June. The phishing scam got viral real fast that the Federal Trade Commission had to send an advisory to the public. "The offer may seem promising, but the truth is, scammers are simply phishing for your personal information. Never open files or click on links sent by strangers. And never pay a fee to claim a prize," the FTC wrote in their statement.
Cloud-Based Fake Document Phishing
Cloud technology definitely had a great year in 2018. Various apps and services started harnessing the power of the cloud and unfortunately, so did hackers. For example, various hackers tried luring victims with fake documents stored in Google Drive, Dropbox, and other cloud-sharing platforms. Instead of the intended file, the documents contain various hacking agents ranging from keyloggers to malware scripts. Never ever click on these cloud documents especially if it came from an unknown source.
Fake News Phishing Scams on Social Media
This list won’t be complete without mentioning the rise of phishing attacks on all social media platforms. Aside from connecting people online, social media also made phishing a lot easier. Hackers often use fake news and alarming headlines on Facebook, Twitter, Snapchat, and other platforms to entice victims into clicking malicious links. And unlike emails, it’s harder to quickly verify on social media if the person you’re talking to is actually a real person and not a hacker’s creation.
Sextortion Email Phishing Scam
Now this one’s just awful. Using the various data breaches that happened in 2018, hackers lure victims into giving their credentials by claiming they have footage of the victims doing something illegal or embarrassing, like watching adult content. Some hackers even use the victims’ redacted phone numbers to make their emails more legit. They then try and blackmail their victims into sending them money. Unfortunately, the hackers made over $500,000 using this dirty trick alone. Wow indeed to how real this threat has become. #phishing #email #social #information #hackers #security #itblocksg #singapore