in 2020, over 90% of Organizations are hit by a mobile malware attack. You might see the word Phishing and not understand what it means nor how it can harm you, but I am certain you’ve experienced it before. RSA’s Fraud Quarterly report states that virtually 70 percent of Canadians of fraud phishing attacks are targeted at Canadians. Scary for the Canadian enterprises, right? In this blog, we are reviewing what is phishing and how to catch it before it takes over your enterprise.
Phishing is an intelligent and subtle attempt to try and gatherpersonal and corporate information by using deceptive e-mails or alarmingalerts that are meant to grab the user’s attention.
So, the objective of a Phishing attack is to make the user believe that the message sent is something compelling they want to hear or see. This is why so many users have unknowingly been targets of phishing attacks It consists of urgent hyperlinks and words that look appealing in order to hook them into the said “issue” which needs to be addressed.
Hackers are known to spread phishing emails because of their relatively low cost and effective outcome. The cost of sending an email is virtually free and the technology behind the email is usually just a form that saves your personal information. Clearly, if the phishing email is sent to 1000 people and 5% of people fill out the form, that is effective!
One common phishing email is where the receiver is madeaware that their account was accessed by an unknown third-party or even hacked.When this occurs, an alarming screen pop-up on the computer screen or a messageon a smartphone will appear. It contains a link or button that claims it will helpreset your account credentials (password). This is completely FALSE. This triesto instil fear to make the potential victim react quickly and with urgency.
The most common buttons that can appear are the following: “Restore Now”, “Download”, “Click Here”, “Unlock Here”, “Continue”, “Cancel”, “Pay Now”, “Update Password” or “Redeem Here”. All of these seem appealing to click, especially when making an impulsive decision. When an IT department is aware of and ready for these dangerous URLs and buttons, they will know not to click on anything that is a hyperlink or holds a URL that will save them!
To protect your employees, they need to be aware that thistype of email and texts exists. Should they ever encounter a similar email,they need to alert their IT department immediately. Download this free one-pagesummary of these phishing attacks to send to your employees.
Password Reset Phishing Attack
While enterprises use password re-sets for security reasons, it is important for employees to be cautious of the password re-set scams out there. 7 out of 10 times people get their passwords hacked due to fraudulent password re-set emails. In order to identify whether or not someone has been sent a password reset scam request, one way to check this is to look at the headers that give out the information of the sender. Most times, they will send more than one email and each email will have different headers, logos and sender information. They do this to circumvent spam filters; unfortunately, it works. Also, if the user has not asked for a password re-set from the sender then they should not receive one. Any hacker can “claim” they are Microsoft, Netflix or Apple but the URL says it all. Here is an example of an unusual sender URL:firstname.lastname@example.org .
As all enterprises know, there are either monthly or yearly password re-sets for everyone in the company that are for real security reasons and not scams. By sending a password re-set email or announcement to all employees it will ensure that all employees know what to expect. Therefore, this way there is no confusion, and all users can be on the same with no scam or hacking doubts.
Believe it or not, there are also phishing cases of fake charity donation requests. If it is not coming from the official charity website address or URL, it is crucial to never provide the company's information. Enterprises need to protect their credentials and data from these scams and fraud addresses that trying to capture companies’ credentials and money. Moreover, these hackers are aware that corporations are trying to help their communities and sick individuals by providing funds and donations which encourages them to target all enterprises. Fraudsters claim to be from a legitimate organization that can provide information that could assist local charities, such as a list of vulnerable people in the local area who may require support.
Ensuring that all employees and IT department are aware of cross-checking the sender’s credentials on a valid database to verify if they are legitimate is key for fewer successful attacks. It is also important to educate the users on not making any agreements with unknown individuals or organizations overseas that demand upfront payments in this format; it is not genuine. According to the Wise Giving Alliance, at least 65% of donations should go directly to the people or because they are serving.
As you know, technology is constantly evolving, and hackers are becoming more sophisticated in their ways of stealing an enterprise's valuable information. Emails are not the only way they are doing this. Hackers are targeting users via text message. We call this called smishing. 98% and 45% of the time texts are read and are responded to. We know texts (SMS messages) as something more personal than emails which is why hackers use this method. An example of this can be from what seems to be a bank. The cyber criminal will send you text messages claiming to be from your bank, "warning" you about a large transfer or a new payee added. They then give you a number to call or a link to click on. So, they will block you from getting in, and they will have unauthorized access to your account.
Employees and endusers need to on the lookout for bank smishing because it could result in them divulgingconfidential information.
It is crucial for the employees to be watchful because we are less watchful of spam on our phones. Some don’t even think it’s possible. It is important to remind your employees and IT department. So, tell them that large corporations and companies will not communicate and try to reach the enterprise through text. Looking out for the companies address and verifying the corporate phone number should be done by the IT professionals. Overall, having updated, and proper security software is essential for controlling attacks like these. Ensure proper and safe security software’s by checking out our services here.
No one can stop hackers from trying to attack enterprises. But, there is a way to prevent them from taking over your enterprise. Assurance IT encourages companies to educate all IT departments and end users. Moreover, about the phishing attacks that can appear in your enterprise. It is key to teach your end users how to look out for it, prevent it and stop it.
Overall, security awareness training can lower the risk of cyberattacks by more than 14%. Be sure to download this free PDF summary cheat sheet of these phishing attacks to send to your employees. For more information on training your employees, contact us here.
Access The Untold Stories of IT Professionals.
Assurance IT launched IT Spotlight - a weekly newsletter putting the spotlight on IT professionals. Get the inside scoop on their careers, their predictions in the industry and more. Once a week, every week, find out what other IT professionals are up to. Learn more here.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.