It seems that every day there is another company being hit with a new phishing scam—PayPal and Dropbox being some of the more notable of the recent victims. Because it is all over the news, we assume that we know exactly what phishing is; but do we really?
What it is & How it works
Phishing is a scam where cyber-criminals, sometimes referred to as ‘phishers’, impersonate seemingly trustworthy sources in order to send out electronic communication to their contacts (usually customers) in order to do one of two things: (a) to steal credentials and personally identifiable information (PII) from employees and clients, or (b) to infect the computer or company system with malware. The way they are able to do this is a systematic process that includes planning, setup, attack, and collection.
- Planning. First, phishers determine which businesses they want to target and how to get their email address list. This is usually by either stealing information from the social media accounts of finance and HR employees from networks such as LinkedIn, or by guessing employee email addresses, which they then use to infiltrate the company. It is easy for hackers to guess some employee emails if the company uses the standard formatting of ‘email@example.com.’ While this is easy for employees to remember, it is also easy for phishers to guess.
- Setup. Once they have decided their targeted businesses, phishers determine their delivery method for the scam. Most of the time this is through email, however the PayPal phishing scam is an example of one that uses social media as a means of tricking customers. Two fraudulent Twitter accounts were made to appear as though they were legitimate customer service accounts with an urgent message for users of the site. Targets have been lured into entering their PayPal credentials into the seemingly legitimate, but fake pop-up page. This gives these cyber-criminals the information they need to steal PII from the users as well as transfer funds out of their PayPal accounts straight into the scammers’ pockets.
- Attack. This is the stage that most people think of when they think of a phishing attack. This is where the phishing message is actually sent out via whichever means the scammer previously chose, again, appearing to be from a reputable source.
- Collection or Infection. Not everyone will click on the phishing message, however, 39% of employees click on emails that they originally believe to be suspicious. Those who do end up taking the bait by either clicking on a link in an email or entering in their information into a pop-up, unfortunately have their information recorded by the phishers who can then use this information for their own personal gain. The collection of information is the goal for one type of phishing scam, but as mentioned above, there are some phishing scams whose goals are to infect the computers or systems of the affected individuals. Ransomware, one of 2016’s hottest cyber-threats, is a very popular malware to be included in a phishing scam–now included in 93% of the phishing emails sent out.
Before any company can protect against a phishing scam, they must first be able to identify one. Here are a few telltale signs that can help you determine a phishing email from a legitimate one (note that these are also included in a previously Axiom blog article on phishing, Gone Phishing: Who’s really on the other end of the line?).
- Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.
- Threats– When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.
- Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.
- Spelling and Grammatical errors- If there are clear spelling or grammatical errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.
How your company can combat phishing, Employee Education
Now that we know how to identify a phishing scam, it is important to take the proper steps in protecting businesses everywhere from this type of threat. Companies are the primary targets of phishing attacks, and consequently, they need to amp up their cybersecurity defenses in preparation for combating phishing threats. While employees are some of a company’s greatest assets, they are also the greatest threat to its cyber-defenses. This is why employee education is the most important defense against phishing.
- Educate employees—Informing your employees of the indicators listed above will help them to be able to identify a phishing threat.
- Take care to assess emails—Encourage your employees to take the time to assess an email before clicking on it or any embedded links it make include. Michele Fincher of Social Engineer, Inc. says, “Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety).”
- Utilize checks and balances—Utilizing checks and balances can help to prevent what is known as spear phishing—when hackers pretend to be executives emailing upper level employees in order to gain access to valuable information like financial numbers, wire transfers, and employee information. By having multiple people needed to sign off on something, it is likely that the scam will be caught among them.
- When in doubt, ask—Let your employees know that if they are questioning an email, they should ask someone else before clicking on it. It is better to be safe than sorry, and most of the time, if they are questioning it, it is likely a fraudulent email.
If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.
Hailey R. Carlson | Axiom Cyber Solutions | 9/9/2016