Protecting Your Business Against Phishing
Cybercrime against businesses has been on the rise. 82% of all breaches involved a human element, such as social attacks, misuse, and errors. Phishing is one such human element and it accounts for a significant number of breaches. When a cyber criminal uses text, phone, or email, posing as a legitimate contact or business, to fraudulently gain access to credentials or information, that is phishing. The goal of phishing is to gain login credentials, steal banking data, and get users to click on links that will launch malware, viruses, or ransomware.
Types of Phishing Techniques
There are multiple ways hackers use phishing to trick users into clicking their links or giving access to data.
· Smishing and Vishing – using text or calls to imitate a legitimate company
· Clone Phishing – using emails that are almost identical to the real email address and real links are replaced with malware/viruses that are masked to still look like a valid link
· Spear Fishing – this is a targeted attack on a specific user, with the hacker using the information found online or through social media accounts
· Spam/Email - mass emails are sent out, usually impersonating valid companies, that ask users to verify accounts or log in details, which are then stolen. Email is often how hackers will send viruses, malware, and ransomware to users
· Content Injection – Hackers who have gained control of legitimate websites will change part of the website so that when information is entered it will go to the hacker, not the actual business
· Search Engine Phishing – Hackers create fake sites that end up listed on search engine results, often for low-cost loans, credit card deals, or fake product/store pages
Learn to Identify Phishing
While there are multiple ways phishing occurs, there are common things to be on the lookout for. Training your employees on how to spot phishing is the best way to prevent your business from being breached or compromised.
· Spoofed email addresses – the actual senders’ email address can be hidden and the email will look like it is coming from a legitimate contact or company as the display name. You will need to view the header or expand the message to see the actual sender’s name – instead of just the display name.
· Domain Name - By creating versions of a legitimate domain name, hackers hope that users will assume this is a legitimate company email. For example, instead of xyz.com, it might show as xyz.co or xyz-support.com. Always look at the spelling of the domain, and look out for any misspellings or odd names.
· Images as the email body – To confuse anti-spam software, hackers are using an image as the email body, so they will type out the email, create an image, and then use just the image in the email. If you click the image, it acts as a link. Look at the actual body of the email to ensure it is not just a drag/drop image instead of a composed email.
· Threatening emails - With online banking being so popular, seeing an email that tells you that your account is closed, or that action is needed can be alarming. Hackers use these subject lines to scare people into entering credentials into a fake website. Learn to take a step back and review the email in-depth before clicking on anything. You can always go to the bank/credit card app/website directly – without clicking on the email to verify your account status.
· Malicious Links – Links can be hidden in attachments such as a Word document or PDF. Links can also be misdirected so while they say they go to one page, you are being re-directed to a malicious site. You can hover over a link to see where the actual link URL will send you before clicking it.
· Real links and logos used – To make their email look legitimate, real links and logos can be sprinkled throughout the email, giving it some legitimacy. For example, they may link to the actual privacy policy or home page somewhere on the email, even though the link they are directing you to is malicious.
Other Steps to Take
In addition to training your employees to look for the above, there are more ways to help prevent a successful phishing attempt. Ensure that your employees also do the following:
· Verify that you are on a secure site. If you do not see a closed lock and that the URL begins with HTTPS.
· If it sounds too good to be true, it usually is – emails that offer products well below cost, urge users to act now, act fast or anything else that works too hard to be an offer that you simply can’t pass up, is often a phishing attempt.
· Update your browser – browsers are constantly updating to address newly discovered security flaws.
· Do not click on Pop-Ups that you can’t verify as legitimate from the website you are on, and have block pop-ups as a default setting
· Cyber Security Training for employees – you can sign your employees up for classes that will train them on what to look out for when it comes to phishing
· Firewalls and Anti-Virus Software – Every business owner should be using antivirus software and firewalls. Any employees working remotely should also have firewalls and anti-virus software installed and enabled.
· Cyber Liability Insurance – in the event of a breach, Cyber Liability insurance prevents the costs from all being out of pocket. Additionally, many companies will include tools such as security training and discounted services for prevention and security.
Additional Resources:
Phishing.org
Stop Ransomware
Cybersecurity & Infrastructure Security Agency