Phishing: Don't Fall for the Bait
on Feb 27
It’s first thing Monday morning and you’re catching up on emails. You see one message coming straight from the boss. It seems legitimate - right sender name, familiar tone, and correct email signature. He makes an urgent request to download and view an attachment immediately, and so you do it without questioning. Within a blink of an eye, your info is now in the hands of cybercriminals start wreaking havoc on your businesses without you ever knowing.
Everyday billions of phishing emails like the following example are sent to employees from cybercriminals - hoping to deceive and steal from unsuspecting victims. They come in all shapes and sizes - employee e-mails, fake websites, even malicious voicemails - making it even harder for users to detect what’s real or not. Phishing is dangerous, and businesses need to educate their employees on this latest cyber threat. We’ll be covering the most common types of phishing tactics targeting businesses and offering tips to prevent yourself from becoming the next victim. First, let’s start with the basics and explain why phishing is so popular.
What is Phishing?
Phishing is a cyber attack that focuses on gathering valuable information such as login info, finances, social security numbers, phone numbers, or social media accounts. What makes phishing schemes different from other cyber crimes is the targeted messaging. The cyber criminals disguise themselves as trusted entities - a real person or business - and focus on urgency and call to actions such as clicking links, replying with details, or downloading files.
Even though it’s one of the oldest types of cyber crimes, it’s still one of the most widespread and effective cyber attacks out there. It remains a major threat to most organizations because phishing campaigns are becoming more sophisticated. Cyber criminals have developed many different techniques to gather more information about their targets and create more convincing messages. Watch out for these most common techniques:
1. Spear Phishing
These are messages targeted towards a specific individual or organization. Instead of the typical spam message that blasts out to lots of people, cyber criminals research their victims to create a more convincing and personal message. This includes checking social media accounts and researching other info available online. These emails include personal information to gain viewer’s trust.
Similar to spear phishing, whaling targets its victims at higher levels within an organization. These high profile targets include company executives or important board members. These messages pretend to be third-party organizations or another executive, asking other team members for replies or attachments.
3. Clone Phishing
This type of phishing e-mail is created to look exactly like a previous delivered e-mail. The major difference is that the attachments or links in the email are replaced with malicious ones and sent from a spoofed email that appears to come from the original sender.
4. Link Manipulation
This phishing technique involves creating a malicious link that appears to belong to a spoofed organization. These links might look legitimate but contain small differences such as misspelled URLs and subdomains. Some links even change the text displayed to a link from a reliable destination but leads to a malicious site.
5. Domain Spoofing
Just like how it sounds, this phishing tactic involves hackers spoofing an organization’s domain to make their messages or sites look legitimate to viewers. For e-mails, they’ll mimic the messages to make them look like they’re coming from the organization’s domain. For websites, hackers will adopt an organization’s website design and use a similar URL to mimic a domain.
Best Practices to Prevent Phishing
While these are the most common phishing schemes, hackers have even evolved beyond e-mails to lure victims through malicious text messages and voicemails. With new technology and more sophisticated schemes, how can you prevent your organization from becoming the latest victim? While there’s no single solution to stop phishing schemes, here’s some best practices any business can use to protect themselves and their employees.
1. Educate Your Employees
Knowledge is the most powerful tool when it comes to cybersecurity. The more your employees know what to look for, the least likely they’ll fall victim to the latest phishing scheme. Conduct regular security awareness trainings where you can highlight examples and help employees identify common indicators of phishing schemes including:
- Poorly written messages
- Unusual attachments
- Requests for personal information
- Suspicious URLs
- Message that sounds too good to be true
Hold these training sessions every three to six months, and make it them mandatory for all employees.
2. Establish Two-Factor Authentication for Logins
Instead of the standard password login, organizations can add an extra layer of security with two-factor authentication. This additional security measure requires multiple pieces of info for someone to log into their account. This usually includes something you know (password), you have (phone verification), and/or you are (biometrics, fingerprint scans, etc.). If a hacker does retrieve your login info, the second step blocks them from easily accessing your account or personal information.
3. Use Encrypted and Secure Websites
Make sure all websites your employees visit, including your own, are secure and encrypted. These websites should use secure protocols (HTTPS) that protect the data transmitted between sites and users’ browsers.
4. Step Up Your Password Game
Passwords, if not used correctly, can ruin someone’s life. Cyber criminals can easily guess most user’s passwords based on their research and social clues. Unfortunately, people make the rookie mistake of reusing passwords across multiple accounts, creating an avalanche of identity theft throughout different areas of someone’s life. For every account, employees need to use unique passwords that aren’t reused for other accounts. It can be quite the challenge to remember each one, so that’s where password managers save the day. Password managers are easily available to save and secure unique passwords for accounts. They can also prevent users from using passwords on malicious sites.
5. Filter Incoming Emails
Organizations can use a wide range of up-to-date email and spam filters from popular email hosts such as G-mail and Microsoft Outlook for protecting their employees from phishing schemes. Organizations can also establish email authentication systems such as Sender Policy Frameworks (SPFs) or DomainKeys Identified Mails (DKIMs) to whitelist specific domains and prevent phishing from external domains.
Stay Ahead of the Game
Phishing is constantly evolving, and businesses need to stay one step ahead in order to protect their employees and data. For more information on cybersecurity best practices and tips, please contact us at 808-237-5000 or request a FREE consultation.
Servpac is a Hawaii-based telecommunications company providing innovative and integrated data center colocation, fiber internet, local cloud, business VoIP, and managed network solutions for businesses. The company is the largest local CLEC (competitive local exchange carrier) in the state and provides 24x7x365 support for businesses to help them compete in the global marketplace.