Cyber-crime has become a billion-dollar business but unlike the Hollywood portrayal of independent hackers with multiple screens in their basements compromising system security and passwords, attackers don’t need the same level of technical competence to swindle or fool people into sending them money anymore. Attacks now are being launched by state sponsored groups and with the emergence of web-based phishing services, it allows virtually any individual to subscribe and have access to all the tools required to launch these kind of confidence attacks.
What is Phishing?
Phishing is a swindle. It is primarily conducted through email messages but could be through the telephone too as we have most likely all had a questionable call from the IRS. Its goal is to try and masquerade as someone you trust and to either send them money, elicit personal and confidential information or execute an application through an attachment or a link in the message that could do anything from granting them access to your account to encrypting all your data in order to extort money.
How do they try and trick me?
Phishing attacks attempt to gain your trust by claiming to be from someone you trust such as a customer, a service provider, a bank, a friend or other sender you would normally trust. They also impart a sense of urgency or monetary gain to get you to respond quickly without taking the proper precautions.
There are several different phishing methods which have been equally adorable names. Regular phishing attacks are typically generic in nature and target a large number of individuals. Not everyone has a “Republic Co-op” bank account, but the attackers expect a small percentage will and an even smaller percentage will be fooled. Spear Phishing is when you as an individual is specifically targeted and the attacker places personal information about you in the email. It could be information dredged from your social media page or other information which convinces you that this must be coming from a trusted source. The latest phishing methods, particularly when trying to compromise corporate accounts, are called Whale Phishing. These attacks masquerade as senior management in your firm and hope to instill the need of urgency and duty to respond to the requests.
How do I protect myself?
- The first way to protect yourself as an organization is to contract with a reputable and efficient service provider that can scan inbound email and differentiate between what is genuine and what is coming from outside your organization.
- The next method for protecting yourself is to always be suspicious of any communication from unexpected sources that is asking for personal information, money or asking you to click on a link, fill in a form or open and attachment.
- Always be suspicious of something that needs immediate attention.
- Check the sender address of the email. It will typically be in the format John Doe <[email protected]>. Check the actual email address and domain after the “@” sign to see if it is valid. Watch out for misspelling or special characters.
- If you have suspicion, contact the sender but never reply to the current email or use any information within the email to try and contact the sender because they might give you a fake telephone number in the signature.
- Always report any suspicious emails to your internal IT department and never click on any links or open attachments for messages you don’t fully trust.
In the end, a quick telephone call or small amount of precautionary review can save you and your organization from cyber damages.
Don’t get caught … be the one that got away!