Posted On 05 Mar 2018
As noted in Part 1 of this series, employees have access to a variety of IT resources critical to the operation of your business. Computers and other hardware devices, data storage systems, email and mission-critical software and cloud accounts all require security policies that will protect your valuable data and sources of income. Employees who have access to any of those resources are the first line of defense against malware, hackers, and social engineering attacks. As such, your business needs a strong and properly managed IT security policy.
Phishing scams are so named because the bad guy attempts to steal your information by tossing in some bait and hoping to hook an unwary mark. Sometimes comical on the outside, these social engineering attacks are nothing to be laughed at. Millions in cash and data are stolen every year through the simple ploy of appealing to natural fear of authority, trust or greed. Tricks used by scammers are usually very simple; however, thousands of intelligent people fall for them every day.
Much is made of increasingly common data breaches, massive and small, but the most successful scammers do not need information generated from these leaks. The fact of the matter is that simple tactics work just as well to keep them well-supplied with your hard-earned money.
Online scams have increased geometrically in recent years and companies have begun to employ both internal and external consultants to get a handle on the problem to protect their customers. Recent reports indicate that as many as 30 to 50 percent of phishing emails sent are opened by the receiver.
Research by IBM reported in the IBM Threat Intelligence Index 2017 notes the volume of spam emails increased nearly four times in 2016 and the trend continued in 2017. Making these data even more significant is the estimate that more than half of all emails are spam and nearly half of all spam email contains some form of malicious content.
Companies have begun to test their security by testing the weakest links, their employees. One large banking concern found that over 20 percent of their employees opened a phishing email sent out as part of the test. A success rate like that in a huge financial institution is significant and dangerous for everyone.
The Anti Phishing Working Group identified over 120,000 unique phishing websites at the beginning of 2016 and by the end of the year, they reported nearly 100,000 unique phishing email campaigns aimed at their clients. The APWG findings note that nearly 20 percent of those campaigns specifically target the financial sector.
Symantec reports 76 percent of all companies fell victim to phishing campaigns over the course of Q2 2017. This clearly indicates that no business is immune to these scams and every business must take steps to mitigate the risk.
Common Types of Phishing Scams
Deceptive Phishing is the most common form of this type of scam. Bad actors will mimic legitimate companies to convince people to give up personal information. Emails of this type use the power of the company or government name they are impersonating to either gain trust or threaten an individual into giving up identifying data. One can easily recognize the hallmark of this type of attack in the sense of urgency expressed by the scammer: “You must take care of this bill today or we will be forced to initiate legal action.”
Spear Phishing is a more highly-targeted form of the phishing scam. An attacker has procured the target’s personal information, or some piece of it, and uses that information to convince the victim that he is legitimate. Gaining such information is not difficult as we now tend to provide lots of personal information on social media sites which scammers can scrape together and use to lull us into a false sense of security.
In a spear phishing attack, one might receive an email or phone call from an individual claiming to be from ABC Company wishing to speak to Your Name Here. He will then produce information about the victim’s job, phone number and other information he or she would only expect someone with need-to-know access to have. Such knowledge tends to verify the credibility of whatever the attacker tells one. He may suggest that the victim owes a sum of money which is past due on an account or an underpayment of taxes or any number of scenarios designed to convince him or her to read off a credit card number over the phone, reply in the email, click on a link or download an attachment.
Other email phishing attacks include concealing malicious attachments as scanned documents sent from a Xerox or other brand of office copy machine. Many offices neglect to change the settings on their copiers from the default “Sent from a Xerox Scanner” message to something more specific to their company. As a result, it is easy to be fooled by an incoming email with the generic message. An unsuspecting victim clicks on the attachment which may then install a trojan virus on the computer.
Similarly, one might receive what appear to be order confirmations, booking confirmations, newsletters, email delivery failure messages, even email from one’s mother. All must be carefully inspected to verify authenticity. Any suspicion should be treated as reasonable.
CEO Fraud, also known as a “whaling” attack because it is a spear phishing attack aimed at a high-level executive within a company, has been an area of interest for fraudsters in recent years with close to 50% increases in such attacks last year.
Such an attack is a multi-phase endeavor in which the criminal gains access to email or account data through an initial attack on a company executive. He then uses the information and spoofs (fakes) a directive from the executive’s email account to transfer funds from company accounts to those of the attacker.
Another kind of whaling attack involves spoofing an email account from a company’s client with a fake invoice. Many large, and even small, company executives are often too busy or distracted to carefully peruse every document. He or she may forward the bill for payment without verifying its authenticity. Alternatively, the invoice attachment may be yet another disguised malware waiting to be opened and activated.
A whaling attack found to occur around tax season involves an employee receiving an email appearing to be from the HR department requesting an updated W-2 statement. The schemer gathers social security numbers and identifying information to use in further fraud schemes against the employee.
Pharming scams are forms of attack in which an attacker will target, instead of an individual, a DNS server. Domain name servers (DNS) are used to store databases that convert the alphabetical website name, i.e. www.google.com, to and from the numerical address the internet uses, i.e. 220.127.116.11.
In a pharming scam, a hacker will poison a DNS server to convert an alpha address to the false numerical address of their own server. A victim is forwarded to a fake server without realizing it and duped unless inconsistencies are noted.
Dropbox, Google Docs, and other SaaS (Software as a Service) Apps phishing scams take advantage of the usefulness and convenience of these platforms to millions of individuals and businesses around the globe. A recent scam using Dropbox attempted to lure victims to log in to a false Dropbox login page that was ironically hosted right in a Dropbox account.
Dropbox and an increasing number of accounts which host sensitive or personal information offer two-step verification. 2SV requires a user to first enter a username and password and then enter a second verification such as a code sent to the user’s email or cell phone. 2SV ensures that only someone with access to the password AND the secondary device may access the account, providing a double layer of protection.
Vishing takes advantage of the gaining popularity of Voice over IP (VoIP) technologies. Scammers use VoIP lines to go back to the old-fashioned method of just calling victims on the phone to phish for information.
Bad actors can set up a VoIP server to fake a call from anywhere and anyone they wish. Therefore, the victim feels secure because the caller ID information looks correct. The scammer then impersonates whomever he wishes to propagate his scam.
SMiShing is the name given to any attack broadcast through SMS or texting. Any of the previously mentioned types of scam can be completed through a text, email or phone call. Some are more effective through one or more routes, but one must be aware that swindlers will use any method that works. If one vector does not, they will simply try another until they get a hit.
Avoiding Scams in the Workplace
DO NOT click on a link in an email unless you are 100% sure that it is real, such as a link in a newsletter to which you intentionally subscribed and receive regularly. Hover your pointer over the link and make sure the link that pops up is the same as the one suggested by the wording of the link. Avoid clicking the link if it is different from the text or if it uses a link shortener such as bit.ly or goo.gl.
DO remember that government agencies and most large businesses will not initiate contact with you in ways that would trigger suspicion such as adding attachments, making demands, or requesting phone calls. They are aware of the scams out there and do what they can to avoid making them easier to proliferate.
DO NOT open an attachment unless you asked someone to send it to you or verify that the person intentionally sent you an attachment. Malware is capable of adding attachments to legitimate email as it is being sent.
DO consider amending your company financial policies to prevent authorization of financial transactions via email.
DO take the time to open a browser and log into your bank or other financial institution if you get an email from them instead of clicking a link to log in. That way you’ll know it is really your bank. Most banks have an internal messaging system which will place any urgent messages for you within your account page.
DO recognize that any scam will indicate a strong sense of urgency that you to take some action immediately to prevent an event you should recognize as unconstitutional or illegal, such as an arrest or property seizure without the proper legal procedure.
DO remember that a scammer seeks information you would not typically give via insecure channels or to unvetted individuals. Scammers must make you believe they are someone in authority with a valid reason for collecting this information. People in such positions of authority know when and where it is appropriate to collect such information.
DO always be suspicious. Phishing emails often look very real and appear very frightening. The tactic is to make a victim click without stopping to think first, so never click without thinking first.
DO ask yourself questions when you receive any kind of communication. Have you ever heard of this company? Did you send an email to this address? Are you behind on your taxes? Is this your bank or credit card company? Did you ask for this information?
DO use a good anti-virus software and spam filter to prevent most spam from ever entering your mailbox in the first place.
DO check the email header details, even when it comes from someone you know. Spoofing the display portion of an email address is very easy but spoofing the actual return address is not.
DO note whether a communication contains significant misspelling and/or poor grammar. This is often a clear red flag that one is dealing with a scam.
DO know that any claim that you have money coming to you from anyone outside of your home country is almost 100 percent guaranteed to be fraudulent. Too good to be true is just that.
DO NOT believe anyone claiming to have found viruses on your computer. Other than the virus checker you have installed on your computer, no one, not even Microsoft, can determine that your computer is infected with a virus. Your virus checker will inform you if a one is found, but no one from the company will call or email you to let you know. If someone claims to be capable of doing this, they are scamming you
DO NOT take any action of any kind that provides any information or takes you to an alternate website as a result of a “popup.” Popups may be safe but they may also be the result of a virus infection on your computer or a website you are visiting. Clicking the popup is likely to have negative effects.
The weakest link in any area of security risk is the human factor. When dealing with these types of scams, the only risk is the human one because they rely on people giving up information voluntarily and without suspicion.
Therefore, it is critical that businesses present clear company policies which express how employees will respond to all communications which present a risk to private, personal, or sensitive information. Additionally, training should discourage users from publishing sensitive personal or corporate information on social media and elsewhere. Proper training must be implemented to teach employees to recognize these scams and avoid them.
Unfortunately, the human factor is too frequently contravened even with strong training and policy measures in place. Companies should further ensure against fraud with strong security technology which goes beyond the standard desktop virus checker, though these are still valuable assistants in the war against malware. Companies should also invest in solutions which can analyze incoming and outgoing emails for malicious links and email attachments.
What to Do if You Are Scammed
It happens. A scammer gets the best of you or someone you know. The response needs to be as quick as possible to mitigate the damage. One should assume the scam has definitely resulted in identity theft and the response should take such a worst-case scenario into effect.
First, shut down the computer. Turn it all the way off and make sure it is no longer running or connected to the internet or any other computers on the local network. This is to attempt to prevent any virus from escaping onto the company network and will halt damage taking place from a running ransomware package. If this is a work computer, contact your IT team immediately and let them handle the cleanup of the computer itself. Make sure they are aware of any details you can provide. If it is a personal computer, contact a reputable service to help.
Next, you need to get online using a different computer and begin changing all of your passwords, beginning with your financial accounts. Next, take care of email accounts, file storage accounts, social media accounts and down the line to the least sensitive. Change security questions and add two-factor authorization to any accounts where these are available.
If you find that you are no longer able to login to any of your accounts, immediately contact the company and report an account hijacking. Any time you wait to act is time the attacker is doing damage to your account.
Call the major credit reporting agencies and put a fraud alert on your credit account as a potential victim of identity theft. While this is not likely to stop an identity thief from making use of your stolen information, it will make the cleanup of damage much easier later. Plan to monitor your credit closely for the next few years to make sure no unusual events occur. Quick responses to such events will mean the difference between a fix and a loss.
If you gave out your debit or credit card information, call your bank and report that card as stolen and monitor the account carefully to make sure the charges do not go through. If a bank account number was given to the attacker, immediately close the account and open a new one. Be sure to remove all funds from compromised accounts.
How to Report Suspicious Emails
If you have a good spam filter, you are not likely to see the most common phishing emails, but sometimes one will make it into your inbox. Such an email is particularly dangerous because it has defied the spam filter. If you receive one of these, you may wish to help the community at large by reporting it to an authority which may prevent its spread to other unsuspecting victims.
In the United States, you may report suspicious emails to one or all of the following by simply forwarding the email including the full email header, which includes the display names and email addresses of both the sender and recipient, the date, and the subject:
FTC at email@example.com
Anti-Phishing Working Group at firstname.lastname@example.org
US Computer Emergency Readiness Team (US CERT) at email@example.com
The primary takeaway from this article is not to react over-hastily to any communication which you have not verified by secondary means. Companies are either aware of the need to use secure means to access your personal information or should be. Either way, it is inappropriate for them to use email or the phone to secure such information. So always be wary. You are the last line of defense in protecting your personal information and that of your company and its employees. When in doubt, check it out.