Categories
Technology

Phishing Attacks In The Real World

 

When was the last time you almost lost $23,000 to a phishing email? This nearly happened to one of our clients this week. Fortunately, this phishing attempt was spotted before the funds were transferred, however, there are a few good lessons to take away from this story and we want to educate you so you can protect your company from these sorts of attacks.

“Bob’s Company” received an email at Accounting@Bobscompany.com. The email was from Bob@Bobsscompany.com.

The email wrote:

“Good Morning,

Please pay the attached invoice in the amount of $23,000.

Thank you,

Bob”
For the accounting manager, this was business as usual. The boss regularly sends requests to the accounting department to have bills paid. At a glance, there is nothing wrong with the email but in this instance, the tone of the email was unusual which caused for further investigation.

This phishing attempt was sophisticated enough to the point where the scam artist even took the time to forge a signature on the attached invoice that matched Bob’s signature. Fortunately, the accounting manager double checked with the boss before processing the transaction. What’s scary is just how close the accounting manager came to processing the payment which is a mistake any one of us could make. If they weren’t paying attention or were just in a hurry, anything could have happened.

What’s important to take away is just how predictable we are. Most companies operate the same way with similar departmental and communication structures. If this wasn’t true then social engineering scams wouldn’t work. This was a close call for just one company and it isn’t hard to believe that whoever sent this email has sent thousands of them and likely got paid on a handful.

These types of attacks are becoming more prevalent than any other because they are cheap, easy and work on businesses of all sizes. “Bob’s Company” is a small business, not a behemoth company that you surmise a hacker would go after. Small businesses are easy targets from a hacker’s perspective because many of them do not invest in security and user training like large companies do.

Some actionable steps you can take to avoid falling prone to this type of attack are:

  1. Avoid using departmental emails like Accounting, Payroll or HR. This lets the hacker know that they are sending the phishing email to the right person making it more likely for the email to have the hackers desired effect.
  2. Use regularly changing keywords when sending requests for a transfer of funds. Change this keyword every month and instruct your staff never to transfer funds without the keyword in the email. This is a really low tech solution but it works. These attacks are intended to trip you up when you aren’t paying attention. The majority of attacks never involve someone spying on your network and learning your passwords and company secrets. Simple though it may be, this is an effective form of two-factor authentication.
  3. Use free spoof phishing tools like KnowBe4 to test your employees to see who is likely to click on phishing emails. Invest in those employees by training them on what to watch out for.

We are living in an ever-developing world where cybercrime is global, the barrier to entry is low and we humans are the weak link in the chain. Since cybercrime has such low risk and high reward these scams will become more frequent and sophisticated. Businesses will have to adapt to these changes and develop strategies to protect their resources. It is important to consult with your IT partner to learn how you can train your employees and set up security measures that will prevent this coming wave of cybercrime.

Categories
Technology

Phishing For Passwords

There has been a recent increase in phishing attempts across the US and it is concerning for many reasons. It is important to be aware of these issues and how these phishing attempts work so that you can protect yourself and your company. The unfortunate truth is that there is only so much you can do to block phishing emails from landing in your inbox in the first place. The only surefire way to prevent phishing attempts from becoming a problem is by training your users to keep a keen eye.

phishing

A phishing attack like the one shown above is an attempt to get you to give away some important information, usually credentials to an email account. In the past, phishing attempts have been highly generic like the “Nigerian Prince” scam that any most discerning individuals would understand to be malicious. Now that most people have become aware of the nature of phishing attempts, the scammers are having to become more sophisticated.

This means that phishing attempts will become increasingly difficult to distinguish from legitimate emails. As more and more emails are being hosted in the cloud through services like Gmail and Office 365, scammers have found a particularly effective way to trick people. These services will periodically ask you to verify your credentials or even change your password every 90 days. These routines can be hijacked to make you think that you are giving your information to your provider when really you are giving it to a scammer.

By looking at your publicly available DNS records, scammers can tell what email platform you are using. It is easy to set up a web page and design it to look exactly like the login page of any hosted email provider. Scammers will use this information to send you highly targeted emails asking you to verify your credentials for “security” reasons. Seeing that the email appears to be from a trusted source, and the link in the email supposedly leads to your hosted email provider, you are likely to enter your password giving the scammer access to all of your information.

In order to help you avoid these pitfalls, we have a few simple steps to follow that will help keep you safe.

  1. Are you expecting the email? Maybe you are logging in from a new computer and the email host doesn’t recognize or trust your device. This is a good reason to expect an email with a link. If there is no reason to expect an email, then receiving one should be a red flag.
  2. Inspect the email. Start by looking at the sender. Do you know them? Don’t just look at the display name; carefully inspect the email address that the email is coming from. Is the domain address spelled correctly? If not, this is likely a scam. Does the email use scary works like Urgent or Emergency? This should be a red flag as well. Also, be sure to check any external link addresses and if they lead to an obscure website, this is likely a scam.
  3. Don’t use links. If you have reason to think that this email is legitimate, take one last security precaution and don’t use the link provided. If you need to verify your credentials then you will be prompted to do so the next time you log into your email account. Do a web search for the login page of your hosted email provider and log into your account from there. If you are not prompted to verify your login then you will know that the email you received is a scam. If it is a link from a known sender, you could also give them a call to verify that the link is from them.

Following these steps will allow you to filter out most phishing attempts that make it to your inbox no matter how sophisticated they become. These attacks rely on you making decisions while not fully paying attention, but they will never be able to fully copy the email provider they are trying to spoof. This means that if the email is not legitimate, then you will likely be able to point that out with a few seconds of careful inspection.

As always, be sure to work closely with your IT professional to ensure that you have a security plan in place. Phishing attempts can lead to data loss, security breaches and even significant lost revenue. It is always better to be preventative about these issues than having to deal with the aftermath.

Categories
Technology

Scam Email and Phishing Attempts

As an IT support company, we are always telling our friends and clients to be cautious with what they click on or whom they give personal information to. Most people know to avoid giving money to a Nigerian price, but scams and phishing attempts are becoming more advanced every day. Many scam emails disguise themselves as people or companies we already know and trust. You must always be diligent to avoid falling for the latest tricks. Today, we came across a good example within our own company that illustrates why being cautious is so important.

Even IT Companies Get “Phishy” Emails!

Capture

What is wrong with this picture? First of all, Sara was not expecting to make any immediate transfers. Secondly, there is no reference to what is being purchased or the reason for a transfer of funds.

Once your alarm bells begin to go off, you will start to notice additional red flags. For example, what is wrong with williampote@etoptechnollogy.com? Notice that the domain etoptechnology.com only has one “L”, as seen in Sara’s email address. However, if you examine at William’s email address, you can see that it contains the wrong domain. If you did not closely examine the sender’s email address, this detail could easily be missed.

In addition to the wrong domain name, there is another tip-off that this email is a scam. The sender signed the email with the nickname “Bill,” but William does not go by Bill.

Had Sara missed these red flags and fallen for the phishing email, she may have replied to confirm that she is ready to make a transfer. She would likely have received a reply email with a link to a wire transfer site that would take her money, never to be seen again. Although this seems like a crude method to steal money, it has led to businesses losing millions in a single transaction.

What Can I Do?

No matter how good your firewalls, antivirus, and other security measures are, there will always be threats like these that slip through. Though the potential for phishing may be intimidating, you can generally protect yourself by following these tips:

1. Keep your guard up and be cautious

2. If you receive an email or any correspondence that you were not expecting, especially relating to requests for money or personal information, verify with the sender through an alternate source like a phone call. Wherever possible, attempt to find the sender’s contact information through Google or some other means, rather than contacting them through the information they supplied.

3. Always closely examine the domain in your senders’ emails and any subsequent websites you get directed to.

4. If you think you have received a phishing attempt, or you already fell for one and think your email or network has been breached, contact your IT provider immediately. Better to be safe than sorry!