Beware! That email from your bank, credit card, or social security can be a door to nasty malware, system hijacking, or a data breach.
Fraudulent emails are “phishing” or luring you into clicking on a link in the email or to open an attachment. Phishing emails are a type of the manipulative process known as “social engineering” and you have to pay attention to see through these deceitful messages!
Examine The Details
For instance, if you look at the from line in your email client or webmail you may see a strange email address or something that looks similar to your bank or merchant domain name, e.g., [email protected]
Carefully read all the characters in that email address.
You may also notice that there are misspellings in the text of the email or imperfect or unprofessional design (though crooks are getting better at the quality of phishing emails). In fact, even email to/from lines can be “spoofed” (faked).
If you get a message from your financial or governmental institutions, either directly enter the website address into your browser address bar or call the institution directly.
And if you see an enticing email subject line, beware of it being a phishing expedition, too.
Never send personally identifiable information (PII) or intellectual property (IP) via email, and report suspicious activity to IT.
Think before you click.
Do not click on links in the email, do not open an attachment, do not pass go. If you open an email and you see text talking about the need for you to sign in to your account and a link to do that, DO NOT CLICK and DO NOT OPEN ATTACHMENTS!
I’m sorry to yell, but I can’t emphasize it enough. You could open a world of pain.
Do A Lot Of Other People Get These Emails? Where Do They Come From?
From 2017 to 2020, phishing attacks increased from 72% to 86% among businesses (Wikipedia).
Today, ninety-one percent of cyberattacks are a result of phishing emails (KnowBe4) and businesses lose $17,700 every minute to phishing attacks (CSO Online).
The senders are scammers and hackers.
The first are not skilled computer criminals, but could have purchased email lists from the dark web and mass mailed unsuspecting recipients. They send malicious attachments or links to malware or bogus sites.
They could command “botnets,” “zombie” computers that perform automated hacking functions.
The second are looking for an even bigger payday.
These computer crooks are more sophisticated and can have what is called “command-and-control” systems to actively handle the “exploit” (an attack that takes advantage of a vulnerability) they have deployed to the compromised systems.
Deploying A Ransom Note
Ransomware is one such managed attack. When an attachment is downloaded or link to a malicious site is clicked, ransomware is installed.
The crooks continue their infiltration of the business network by hiding out until they encrypt the files and then hold them for ransom. Sometimes, after the victim has paid the ransom, they unencrypt the files; other times they give back only some data–or none at all.
The FBI recommends not paying the ransom.
This is because the crooks are not reliable in what they say and may come back, re-encrypt the files, and demand the ransom again. It’s not unheard of the crooks coming back three times.
Alternatively, the crooks will threaten to release (“dox”) the data if not paid.
BEC, It’s Not Your Email Anymore
Business email compromise (BEC) can also result from emails that mimic emails from your vendors, government institutions, or even from what appear to be email addresses of one of your employees, company.
C-suite executives can be fooled by fake emails into sending funds to the crooks. Of course, the holy grail for the attackers would be the account of such an employee.
Phishing Statistics: Growing And Growing
– Phishing emails are sent out by the thousands and more than 70% are opened by the targets.
– Small-to-medium-sized businesses and organizations lose on average more than $1.6 million recovering from a phishing attack.
– Cybercriminals create phishing emails that mimic various companies, Apple being the most of any company. (DataProt)
Various Subsets Of Phishing
Spearphishing – The crooks do their homework and target a certain person at a company to get them to click or install malware. They can research the target or actively reside on their system to get more information (passive reconnaissance).
Other times this leads to business email compromise.
Whaling – Like spearphishing, this targets certain users at a company, only this is phishing for the C-suite employees.
Vishing – Phishing doesn’t only happen over computers and mobile devices. “Voice phishing” or “vishing” happens over the phone.
After research and reconnaissance, the crooks call a user (probably acquiring phone lists from the business network) to manipulate him or her to do something they want them to do that leads to a financial hack.
Smishing – SMS (text) phishing is called “smishing,” which involves tricking a target into clicking a link or calling a number from a text message.
The point of mentioning all these different methods of phishing is to show how social engineering can be a detailed and ongoing practice by the bad guys.
They have all the free time that you don’t have. They can hide until they see a weakness or learn where and how to strike.
Think of your organization and how it exists to be a benefit to support others while also striving to make a profit.
They too are investigating, researching and supporting the larger organized threat actors and working toward their own profit–only it’s at the expense of potentially putting you out of business.
Conclusion: Cybersecurity Is A Tough Business
Threats are growing and changing every day and attacks can happen right under your nose.
Don’t be one of the 51% of SMBs or organizations that do not have a cybersecurity incident response plan (DataProt).
Write down the plans, policies and procedures, educate your employees, and get cybersecurity experts who can help you as they’ve helped other small to medium sized businesses and organizations.
Fight for your security.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.